TIBCO Log Management Intelligence User Guide
Below you will find brief information for Log Management Intelligence. LogLogic provides the industry’s first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability. LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators.
advertisement
Assistant Bot
Need help? Our chatbot has already read the manual and is ready to assist you. Feel free to ask any questions about the device, but providing details will make the conversation more productive.
TIBCO LogLogic®
Log Management Intelligence (LMI)
User Guide
Software Release 5.6.3
January 2016
Two-Second Advantage
®
Important Information
SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED
TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF
THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR
ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.
USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE
AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO
SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING
DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE
IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S)
LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND
CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY
THE SAME.
This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.
TIBCO, Two-Second Advantage, and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. in the United
States and/or other countries.
All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.
THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM
PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. SEE THE README FILE FOR THE
AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.
THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
PURPOSE, OR NON-INFRINGEMENT.
THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE
PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS
OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S)
AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.
THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER
DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES
AND "READ ME" FILES.
Copyright © 2002-2016 TIBCO Software Inc. ALL RIGHTS RESERVED.
TIBCO Software Inc. Confidential Information
Contents
User Guide
|
3
4
| Contents
User Guide
Contents |
5
User Guide
6
| Contents
User Guide
Contents |
7
User Guide
8
| Contents
User Guide
Preface
The LogLogic User Guide is an operational guide for LogLogic Appliances. It covers topics related to managing dashboards, reports, alerts, and performing searches to manage and use the log data collected and aggregated from all types of source systems in your enterprise.
|
9
Topics
•
•
Typographical Conventions on page 11
•
User Guide
10
| Related Documents
Related Documents
The LogLogic documentation is available on the TIBCO Product Documentation website — https://docs.tibco.com/products/a_z_products .
The following documents contain information about the LogLogic Appliances:
•
LogLogic Release Notes — Provides information specific to the release including
product information, new features and functionality, resolved issues, known issues and any late-breaking information. Check the LogLogic Customer
Support Website periodically for further updates.
•
LogLogic Hardware Installation Guide — Describes how to get started with your
LogLogic Appliance. In addition, the guide includes details about the
Appliance hardware for all models.
•
LogLogic Configuration and Upgrade Guide — Describes how to install and
upgrade the LogLogic Appliance software.
•
LogLogic User Guide — Describes how to use the LogLogic solution, viewing
dashboard, managing reports, managing alerts, and performing searches.
•
LogLogic Administration Guide — Describes how to administer the LogLogic
solution including all Management and Administration menu options.
•
LogLogic Log Source Configuration Guide — Describe how to support log data
from various log sources. There is a separate manual for each supported log source. These documents include documentation on LogLogic Collectors as well as documentation on how to configure log sources to work with the
LogLogic solution.
•
LogLogic Collector Guides — Describe how to implement support for using a
LogLogic Collector for specific log sources such as IBM i5/OS and ISS Site
Protector.
•
LogLogic Web Services API Implementation Guide — Describes how to
implement the LogLogic Web Services APIs to manage reports, manage alerts, perform searches, and administrate the system.
•
LogLogic Syslog Alert Message Format Quick Reference Guide — Describes the
LogLogic Syslog alert message format.
•
LogLogic Enterprise Virtual Appliance Quick Start Guide— Provides instructions
on how to quickly set up the TIBCO Enterprise Virtual Appliance.
•
LogLogic Log Source Report Mapping Guide — Provides provides a set of tables
listing Log Source Reports by Device Type, sorted by UI Category.
•
LogLogic Online Help — Describes the Appliance user interface, including
descriptions for each screen, tab, and element in the Appliance.
User Guide
Preface |
11
Typographical Conventions
The following typographical conventions are used in this manual.
Table 1 General Typographical Conventions
Convention
ENV_NAME
TIBCO_HOME
<ProductAcron ym>_
HOME
Use
TIBCO products are installed into an installation environment. A product installed into an installation environment does not access components in other installation environments. Incompatible products and multiple instances of the same product must be installed into different installation environments.
An installation environment consists of the following properties:
•
Name
Identifies the installation environment. This name is referenced in documentation as
ENV_NAME
. On Microsoft Windows, the name is appended to the name of Windows services created by the installer and is a component of the path to the product shortcut in the Windows Start > All
Programs menu.
•
Path
The folder into which the product is installed. This folder is referenced in documentation as
TIBCO_HOME
.
TIBCO <ProductName> installs into a directory within a
TIBCO_HOME
. This directory is referenced in documentation as
<
ProductAcronym
>_HOME
. The default value of
<
ProductAcronym
>_HOME
depends on the operating system.
For example on Windows systems, the default value is
C:\tibco\<ProductAcronym>\<ReleaseNumber>
.
code font
Code font identifies commands, code examples, filenames, pathnames, and output displayed in a command window. For example:
Use
MyCommand
to start the foo process.
bold code font
Bold code font is used in the following ways:
• In procedures, to indicate what a user types. For example: Type
admin
.
• In large code samples, to indicate the parts of the sample that are of particular interest.
• In command syntax, to indicate the default parameter for a command. For example, if no parameter is specified,
MyCommand
is enabled:
MyCommand [enable | disable]
User Guide
12
| Typographical Conventions
Table 1 General Typographical Conventions (Cont’d)
Convention
italic font
Use
Italic font is used in the following ways:
• To indicate a document title. For example: See TIBCO ActiveMatrix
BusinessWorks Concepts.
• To introduce new terms For example: A portal page may contain several portlets. Portlets are mini-applications that run in a portal.
• To indicate a variable in a command or code syntax that you must replace.
For example:
MyCommand
PathName
Key combinations
Key name separated by a plus sign indicate keys pressed simultaneously. For example: Ctrl+C.
Key names separated by a comma and space indicate keys pressed one after the other. For example: Esc, Ctrl+Q.
The note icon indicates information that is of special interest or importance, for example, an additional action required only in certain circumstances.
The tip icon indicates an idea that could be useful, for example, a way to apply the information provided in the current section to achieve a specific result.
The warning icon indicates the potential for a damaging situation, for example, data loss or corruption if certain steps are taken or not taken.
User Guide
Preface |
13
Technical Support
How to Join TIBCOmmunity
TIBCOmmunity is an online destination for TIBCO customers, partners, and resident experts. It is a place to share and access the collective experience of the
TIBCO community. TIBCOmmunity offers forums, blogs, and access to a variety of resources. To register, go to http://www.tibcommunity.com
.
How to Access TIBCO Documentation
You can access TIBCO documentation here: https://docs.tibco.com
How to Contact TIBCO Support
For comments or problems with this manual or the software it addresses, contact
TIBCO Support as follows:
• For an overview of TIBCO Support, and information about getting started with TIBCO Support, visit this site: http://www.tibco.com/services/support
• If you already have a valid maintenance or support contract, visit this site: https://support.tibco.com
User Guide
14
| Technical Support
User Guide
Chapter 1
Using LogLogic Appliances
Using LogLogic Appliances |
15
Topics
•
LogLogic Appliance Overview on page 16
•
Appliance User Functions on page 17
•
LogLogic Product Families on page 18
User Guide
16
| Chapter 1 Using LogLogic Appliances
LogLogic Appliance Overview
Log data can comprise up to 25 percent of all enterprise data. Log data also contains critical information that can improve security, compliance and availability. Until now most companies have relied on ineffective and inefficient homegrown solutions and manual processes to manage this data.
LogLogic provides the industry's first enterprise class, end-to-end log management solution. Using LogLogic log management solutions, IT organizations can analyze and archive network log data for the purpose of compliance and legal protection, decision support for network security remediation, and increased network performance and improved availability,
LogLogic log management Appliances simplify, automate, and reduce the cost of log data aggregation and retention, eliminating the need for servers, tape libraries, and archival administrators. If the network grows, simply rack and stack additional Appliances as needed.
User Guide
Appliance User Functions |
17
Appliance User Functions
There are two primary user types on a LogLogic Appliance:
• User – monitors Appliance operations, runs searches, manages alerts, and creates and runs reports based on collected data
• Administrator – configures and maintains the Appliance itself, including managing log sources, user accounts, Appliance configurations, running backups, and more
Depending on access permissions, a user can perform User functions,
Administrator functions, or both. This manual describes User tasks and functions.
For Administrator information, see the LogLogic Administration Guide.
Dashboard, Reports
, Search, and Alert functions can be opened by clicking their respective icons on the home page or by clicking their buttons on the top navigation menu on the home page.
Management
, and Administration functions for the Appliance are opened by clicking their buttons on the top menu on the home page. For more information on these functions, see LogLogic Administration Guide.
Online Help can be opened by clicking the Help button on any page. Brief video tutorials provide tips and guidance by example for many new LogLogic features.
Tutorials can be accessed from the home page and from certain application pages.
The Appliance GUI provides access to all Administrator and User functions.
Administrators can perform all functions on the Appliance, while Users are limited to functions that have been assigned to them the System Administrator.
The functions in the navigation menu vary depending on the Appliance product family. For example, an ST Appliance displays fewer options than the LX
Appliance because certain features are not available on ST Appliances. In addition, Reports may show different entries, depending on the Log Source
Packages (LSPs) installed.
For all text fields throughout the UI, null
is not a valid entry.
In addition to documentation, the LogLogic Appliance is supported by comprehensive, context-sensitive online Help, which can be opened from any UI page in the application. Clicking the question mark (?) opens Help for the particular tab that is highlighted. Clicking the word Help (above the question mark) opens the entire online Help repository, plus a Table of Contents, an Index, and a Search function within Help. Take a moment to explore Help to discover the rich content offered there.
User Guide
18
| Chapter 1 Using LogLogic Appliances
LogLogic Product Families
LogLogic offers four families of products to provide better, faster and smarter log management, database security, and regulatory compliance solutions to corporations:
• LogLogic LX Appliances are purpose-built Appliances for real-time log data collection and analysis. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and reduce the corporate cost of security and performance event remediation.
• LogLogic MX Appliances perform real-time log data collection and analysis ideal for mid-size and large companies. These Appliances slash response times to network security and utilization incidents, boost IT productivity, and are optimized to provide for log data needs in a non-enterprise environment.
• LogLogic ST Appliances automate the entire log data archival process, minimizing administration costs while providing more secure log data capture and retention.
• LogLogic Appliances bring visibility of compliance activity metrics to CIOs and CSOs, and control over activities to the compliance team, permitting them to privatively review the compliance timeliness and compliance posture mandated by Sarbanes-Oxley (SOX) and Payment Card Industry Data
Security Standard (PCI-DSS).
LogLogic Appliances provide the highest log collection and analysis performance amongst all log management vendors. Log events are received and indexed in real-time. The LogLogic Appliances have clearly stated metrics that cannot be matched.
LogLogic LX Product Family
Featuring a parallel processing architecture, the Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Distributed real-time reporting and targeted queries let administrators take immediate action on network issues from a centralized management console.
These Appliances help enterprises harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment.
LX Benefits
LX product family Appliances offer the following benefits:
User Guide
LogLogic Product Families |
19
• Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents
• Non-disruptive installation and plug-and-play operation: no changes to network configurations, no integration with other systems, no training required, available in minutes
• Self-maintaining, embedded database technology that eliminates the need for
DB administration
To view photographs of the LX Appliance layout, see the LogLogic Hardware
Installation Guide.
LogLogic MX Product Family
The Appliances centralize log data collection and retention by simultaneously processing raw log data and metalog data at any volume. Designed specifically for mid-size and large companies, MX Appliances provide the disk space and processing power required for most non-enterprise environments.
MX Appliance features support the need to harness the power of log data for a safer, more reliable network, while reducing corporate IT costs and providing rapid return on investment. MX Appliances are designed for installations where data must be retained longer than LX Appliances provide, but where enterprise features such as failover* and managing other log Appliances are not required.
MX Benefits
MX product family Appliances offer the following benefits:
• Real-Time Reports, ad-hoc queries and fast drill downs to speed up identification, isolation and repair of security and network incidents
• Features and specifications targeted specifically to mid-size and large companies
• Self-maintaining, embedded database technology that eliminates the need for
DB administration
To view photographs of the MX Appliance layout, see the LogLogic Hardware
Installation Guide.
LogLogic ST Product Family
Available in compact, rack-mountable systems with up to 8 terabytes of compressed on-board storage and interfaces to NAS devices, the ST Appliances archive up to 2 years of log data while eliminating the need for servers, tape libraries, and archive administrators.
User Guide
20
| Chapter 1 Using LogLogic Appliances
The ST SAN (Storage Area Network) product offers potentially unlimited archive storage.
When used with LogLogic's LX Appliances, ST Appliances guarantee complete and accurate transmission of network equipment logs from anywhere on the enterprise WAN or LAN. ST Appliances feature an n-Tier architecture controlled by a management console that centralizes long-term log data archival while allowing for distributed log analysis and broader data accessibility.
ST Benefits
ST product family Appliances offer the following benefits:
• High volume log data aggregation from centralized and remote log data sources
• Long-term retention of unaltered, complete, raw log messages at a secure, central location to make archives unimpeachable
• Distributed architecture of remote collection and central storage make log data collection and retention infinitely scalable
To view photographs of the ST Appliance layout, see the LogLogic Hardware
Installation Guide.
Scalable Infrastructure
The scalable LogLogic network infrastructure significantly accelerates response time to data center security and availability events, while providing complete log data archives for compliance and legal protection. LogLogic Appliances make log data in enterprise networks truly useful for the first time, improving corporate security, compliance and network availability, while reducing IT costs and costly network downtime, and improving corporate return on IT investment.
User Guide
Viewing Dashboards |
21
Chapter 2
Viewing Dashboards
LogLogic Appliances let you monitor a large variety of data to observe the system’s status and the widgets saved on your Dashboard.
Topics
•
Viewing System Status on page 22
•
Viewing Multiple Systems Status (Management Station) on page 27
•
Viewing Log Source Status on page 32
•
Viewing Log Source Data Trend on page 38
•
Managing Your Dashboard on page 39
User Guide
22
| Chapter 2 Viewing Dashboards
Viewing System Status
The System Status tab displays a condensed view of the Appliance's current state, showing current message rate, CPU utilization, database size, alerts, and total message counts.
After you log in to the Appliance, the System Status tab is the default display.
To view system status
1. Choose Dashboards > System Status from the navigation menu.
2. View the following sections on the System Status tab for information about your Appliance’s system status:
— Current Message Rate
— New Alerts
— Disk Usage
— CPU Usage
— Message Counters
Detailed descriptions for each section are documented in Table 2 on page 22
.
3. Click to expand or collapse a section to display an expanded or condensed version of the section’s status information.
4. Optionally, click the Message Rate tab for a larger view of this graph.
5. For more information, see
Viewing Message Rate on page 29
.
6. Optionally, click the CPU Usage graph or the CPU Usage tab for a larger version of this graph.
7. For more information, see
.
8. Click the Refresh button to update the system status information for your
Appliance.
Table 2 System Status Tab Elements
Element
General information
Description
Uptime
Date/Time
Continuous running time since the last reboot of the Appliance.
Date and time set on the Appliance.
User Guide
Viewing System Status |
23
Table 2 System Status Tab Elements (Cont’d)
Element
Software Version
Description
LogLogic software release running on the Appliance.
Failover (not visible unless issues are present)
Status of the Management Station cluster’s master and standby
Appliances. If issues exist, they are indicated through flags:
• C: Cluster_id mismatch
• A: Appliance model mismatch
• V: Software version mismatch
• E: Eligible
• H: HA mode
• X: eXcluded
• O: Out-of-cluster
• M: Master
• S: Standby
For example, the failover status line Failover: master 10.1.4.6 (wait), standby 10.1.4.7 (flags:__V/EHX/O) means the master is waiting for the standby, and the standby is running the wrong software version, is configured for failover, is eligible for HA, but is excluded, and (as a result of the version mismatch) is out of cluster.
IMPORTANT!
Once two Appliances are HA paired, no network settings should be changed.
System Status sections
Current Message
Rate
Measured messages per second rate for the last 1, 5, and 15 minute time segments.
Click on the 1 MIN, 5 MIN, or 15 MIN headings links to change the Message Rate Graph time scale to 2 hour, 12 hour, and 24 hour time scales, respectively.
When using LogLogic TCP for routing logs to the Appliance, this graph displays spikes of activity every 5 minutes rather than a steadier line. This is because LogLogic TCP transfers data in regularly recurring chunks that are merged on the Appliance, and not continually.
User Guide
24
| Chapter 2 Viewing Dashboards
Table 2 System Status Tab Elements (Cont’d)
Element
Message Rate
Graph (Message
Rate tab)
Description
Recent message rate over 1, 5, and 15 minute time segments.
The
pink
line represents the average number of messages per time segment.
The
blue
line represents the real-time incoming message rate for your Appliance.
The
red
line appears when inbound traffic exceeds the preset threshold
Click the Message Rate tab for a larger view of this graph.
New Alerts
Disk Usage
(LX/MX only) Number of active alerts over 1, 6, and 12 hour periods categorized by priority.
Current size of the database usage relative to table space allocation. This can be helpful for calculating data retention time tables, by listing Free and Total available usage.
CPU Usage Current CPU utilization for the last 1, 5, and 15 minute time segments.
Click on the 1, 5, and 15 minute headings to change the CPU
Usage Graph time scale to 2, 12, and 24 hour time scales, respectively.
CPU Usage Graph Percent CPU utilization over 1, 5, and 15 minute time segments.
Click the CPU Usage Graph or the CPU Usage tab for a larger version of this graph.
User Guide
Viewing System Status |
25
Table 2 System Status Tab Elements (Cont’d)
Element Description
Message Counters Statistics on each message category stored in the Appliance since the last boot. The count corresponds to a percentage of the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.
Message categories:
Total Received
—Total number of incoming messages for all categories.
Processed—Total number of messages received and parsed into the database.
Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)
Skipped—Total number of messages ignored by the Appliance due to a syntactic flaw in the message.
Dropped—Total number of messages recognized but not processed due to network congestion or a corrupted syslog message.
The following appear only on LX and MX Appliances:
Total Parsed
—Total number of incoming messages parsed for all categories.
Accepted IP—Total number of messages indicating successful connections through the firewall. For example, PIX® Message
Numbers - 302013-302016.
Denied IP—Total number of messages indicating denied access by the firewall. For example, PIX Message Numbers - 106001,
106006, 106007, 106015, 106023.
Security—Total number of messages to be recorded in the
Security Event Log report.
System—Total number of messages to be recorded in the System
Event Log report.
Generic—Total number of flawed messages received from an approved source. These messages are discarded.
URL—Total number of messages to be recorded to the Web
Surfing Activity report.
FTP—Total number of messages to be recorded in the FTP
Connections report.
Auth/Access —Total number of messages to be recorded to the
VPN Events report.
User Guide
26
| Chapter 2 Viewing Dashboards
Table 2 System Status Tab Elements (Cont’d)
Element
Message Counters
(cont’d)
Description
Other—Any message that is not in included in the other listed categories.
Updates the system status information for your Appliance.
User Guide
Viewing Multiple Systems Status (Management Station) |
27
Viewing Multiple Systems Status (Management Station)
The Management Station System Status is the fastest way to view the condition and status of your Appliances as traffic flows through your system. You can use this information to provide for rapid reporting to the operations staff and acquire information about syslog messages at any particular time.
The System Status information uses a proprietary technology for optimizing and then collecting security data for immediate use. Administrators can monitor the
CPU usage when necessary to check on its congestion.
After you log in to the Appliance, the Dashboards > Management Station tab is the default display.
To view system status using a Management Station
1. Choose Dashboards > Management Station from the navigation menu.
2. View the following sections on the Management Station tab for information about an Appliance’s status:
— Message Statistics
— Message Rate
— New Alerts
— Message Counters
For detailed descriptions of each section, see Table 3 on page 27 .
3. Click the Refresh button.to view updated status information for the
Appliance.
Table 3 Management Station Screen Elements
Element
General information
Description
Software Version Management Station Appliance’s software version.
Displays the Help topic for this tab.
Management Station sections
User Guide
28
| Chapter 2 Viewing Dashboards
Table 3 Management Station Screen Elements (Cont’d)
Element
Appliances
Description
Lists the Appliances in your Management Station cluster.
To view the System Status for an Appliance, click its name.
A
green
square indicates the Appliance is online.
A
red
square indicates the Appliance is offline.
A blank square indicates the Appliance entry is being updated.
Message Statistics Displays the following message statistics:
Total, Processed, Dropped, Unapproved, and Skipped—Message processing information about each managed Appliance.
Click a number in these columns to change the displayed value to the nearest thousand, million, or billion value.
Message Rate/Sec—Message rate, per second, by time segments of 1, 5, and 15 minutes.
Click on the message rate values to set the Message Rate graph to
4, 12, and 24 hour timescales, respectively.
Time Skew—Time delta, in seconds, between the Management
Station Appliance and each remote Appliance.
Message Rate
Graph
New Alerts
Monitors the rate at which messages are passing through your
Appliance.
The Message Rate graph displays the current message rate by time segments of 1, 5, and 15 minutes. For example, 1 min – 100 msgs/sec. On ST Appliances, to the right of the minutes is the number of messages per second (xxx msgs/sec) for the Appliance.
xxx does not reflect the amount of messages that comes in via the
LogLogic TCP protocol.
The
pink
line represents the average number of messages per time segment.
The
blue
line represents the real-time incoming message rate for your Appliance.
The
red
line appears when inbound traffic exceeds the preset threshold
The number of activated alerts, by hour and priority (High,
Medium, Low, All).
Click an alert value to show the Aggregated LX or MX Alert Log.
User Guide
Viewing Multiple Systems Status (Management Station) |
29
Table 3 Management Station Screen Elements (Cont’d)
Element
Message
Counters
Description
Statistics on each message category stored in the syslog database.
The count corresponds to a percentage related to the total number of messages received. This is useful in calculating data retention settings and maximum syslog message rates.
The following is a list of message counters:
Total Received—Total number of incoming messages for all categories.
Processed—Total number of messages received and parsed into the database.
Skipped—Number of messages ignored by ClarifyCRM due to a syslog message syntactic flaw.
Unapproved—Messages received from a log source that is not in the Manage Devices table. These messages are discarded. The most recent 100 messages are accessible from the Data Sources screen. (If auto-identify is on, all messages are auto-identified and no messages are unapproved.)
Dropped—Messages recognized but not processed due to network congestion or faulty syntax.
Updates the system status information for your Appliance.
Viewing Message Rate
The Message Rate tab shows the number of messages processed by the Appliance over a 12-hour time period.
To view the message rate of the Appliance
1. Choose Dashboards > System Status from the navigation menu.
2. Click the Message Rate tab to view the Message Rate graph.
3. If you are viewing a larger version of the Message Rate graph, click the back and forward buttons to display the number of messages during a specific time segment.
For additional information about the graph, see
.
User Guide
30
| Chapter 2 Viewing Dashboards
4. Click the Refresh button to update the Message Rate graph.
Table 4 Message Rate Tab Elements
Element Description
Go back 12 hours.
Go back six hours.
Go forward 12 hours.
Go forward six hours.
Displays the corresponding Help topic.
Message Rate section
<
blue
line>
<
pink
line>
<
red
line>
Real-time message traffic which includes UDP syslog and/or raw TCP (SyslogNG) traffic.
Average rate of the incoming messages for the time segment shown.
Appears when inbound traffic exceeds the preset threshold
Updates the Message Rate graph.
Viewing CPU Usage
The CPU Usage tab contains a graph that shows CPU utilization as a percentage over a 12-hour time period.
To view the CPU usage
1. Choose Dashboards > System Status from the navigation menu.
2. View the CPU usage by doing one of the following in the System Status screen:
— View the small graph in the CPU Usage section.
— Click on the small graph in the CPU Usage section to view a larger version of the graph.
— Click the CPU Usage tab to view a larger version of the graph.
3. If you are viewing a larger version of the CPU Usage graph, click the back and forward buttons to display the number of messages during a specific time segment.
User Guide
Viewing Multiple Systems Status (Management Station) |
31
For additional information about the graph, see
.
4. Click the Refresh button to update the CPU Usage graph.
Table 5 CPU Usage Tab Elements
Element Description
Go back 12 hours.
Go back six hours.
Go forward 12 hours.
Go back 12 hours.
Displays the corresponding Help topic.
CPU Usage section
<
blue
line>
<
pink
line>
CPU usage in real time.
Average CPU percent utilization for the time segment shown. To see a larger version of the screen, click the CPU
Usage
tab.
Updates the
CPU Usage
graph
.
User Guide
32
| Chapter 2 Viewing Dashboards
Viewing Log Source Status
The Log Source Status tab lets you view statistics for each source device.
If during auto-discover a device has the same name as an existing device a random number will be appended to the source IP for this device.
To view the log source status
1. Choose Dashboards > Log Source Status from the navigation Menu.
2. View the following log status information for each source device:
— Name
— IP Address
— Type
— Collector Domain
— Total Message Count
— Byte Rate/Sec
— Description
For detailed descriptions of each item, see Table 6 on page 32 .
3. Click the Refresh button to update the view of your devices
.
4. Optionally, click to print all the items in the list
.
Log Source Status Descriptions
lists and describes the elements in the Log Source Status tab.
Table 6 Log Source Status Tab Elements
Element Description
Saves the report in a CSV format. You should save the file and export it to an Excel spreadsheet for viewing.
Note
: The CSV file saves and displays a maximum of 10,000 lines.
A generated report can contain more than this number.
User Guide
Viewing Log Source Status |
33
Table 6 Log Source Status Tab Elements (Cont’d)
Element Description
Displays the report in HTML format in a new window. You can save the HTML file to your local machine.
Note:
The HTML file saves and displays a maximum of 5000 lines.
A generated report can contain more than this number.
Saves the report as a PDF file. You can save the PDF file to your local machine. Viewing the generated report as a PDF only works for Adobe Acrobat Reader version 6.0 and higher.
Note:
The PDF file saves and displays a maximum of 5000 lines even though the generated report may contain more than this number.
Click to print all the items in the list.
Click to display the corresponding Help topic.
• Displays the previous page of detail for the device list.
• Displays the next page of detail for the device list.
• To display details for a specific page, type a page number and click GO.
Note:
For certain pages that display this option, you can only view a set number of rows. To set the number of rows to view, use the Personal Preferences tab.
Log Source Status section (all of the following columns are sortable)
Name
IP Address
Type
Collector Domain
Name of your source device. The format for this field is <collector domain id>_<ip address>_ <device type> for example
1_10.10.10.10._windows.
IP address for your source device.
Type of source device.
This is the name used to identify each message sent from a specific device. This can either be the Collector Domain name added in the LogLogic Universal Collector or the name specified in the LMI when the device was added.
User Guide
34
| Chapter 2 Viewing Dashboards
Table 6 Log Source Status Tab Elements (Cont’d)
Element
Total Message
Count
Description
The following types of messages counts:
Total—Total number of messages processed for the specified device.
• 1 Min—Total number of incoming messages during the previous one minute period.
• 5 Min—Total number of incoming messages during the previous five minute period.
• 15 Min—Total number of incoming messages during the previous 15 minute period.
1 Min (Byte
Rate/Sec)
Description
Byte rate per second for each device during the previous one-minute period.
Description you defined for the Source Device in the
Management > Devices > Devices tab and Management >
Check Point Configuration > Interfaces
tab.
If you selected the Auto-identify Log Sources option in the
Administration > System Settings > General
tab, the system displays that the source device is an auto-identified log source.
Updates the view of your devices. If auto-identify is enabled and the Appliance detects new devices, refresh displays them in this view.
User Guide
Viewing Log Source Status |
35
Table 6 Log Source Status Tab Elements (Cont’d)
Element
Advanced Options
Description
By default, all these options are displayed:
• Name
• IP Address - supports /prefix length <0-32> for IPv4 and / prefix length <0-128> for IPv6. Available options include:
— equals - only returns the pattern entered
— not equals - returns everything but the entered pattern
— in - several patterns may be entered separated by a comma, all matches will be returned
— not in
— like - like behaves the same way as "in"
— not like
Note: The use of asterisks (*) is no longer supported.
• Type
• Collector Domain
• Total
• 1 Min
• 5 Min
• 15 Min
• 1 Min (Byte Rate/Sec)
• Description
Use the drop-down menu to view options in ascending or descending order.
Deletes all text in the Advanced Options text boxes.
Executes with the defined Advanced Options parameters.
Viewing Unapproved Messages
Use the Unapproved Messages tab to view information on up to 100 of the most recent real-time messages received from a recognized but unapproved source.
Unapproved messages are discarded.
User Guide
36
| Chapter 2 Viewing Dashboards
Summary data on unapproved messages can be seen from the Dashboards >
System Status tab.
Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.
To view unapproved messages
1. Choose Dashboards > Log Source Status from the navigation menu.
2. Click the Unapproved Messages tab.
3. This section contains the following elements.
Table 7 Unapproved Messages Tab Elements
Element
No.
Description
Number assigned to the message.
Time Time the message was received.
Firewall
Message
IP address of the Appliance through which the message was received.
Text of the message.
4. Click the Refresh button t o update the information
.
5. (Optional) Click to print all the messages in the list
.
Viewing Recent Messages
Use the Recent Messages tab to view information on up to 100 of the most recently-received real-time messages.
Messages from logs routed using LogLogic TCP are not listed here because they are not treated as real-time messages.
1. To view recent messages
2. Choose Dashboards > Log Source Status from the navigation menu.
3. Click the Recent Messages tab.
This section contains the following elements.
User Guide
Viewing Log Source Status |
37
Table 8 Recent Messages tab descriptions
Element
No.
Description
Number assigned to the message.
Time Time the message was received.
IP Address
Message
IP address of the Appliance through which the message was received.
Text of the message.
4. Click the Refresh button to update the information
.
5. (Optional) Click to print all the messages in the list
.
User Guide
38
| Chapter 2 Viewing Dashboards
Viewing Log Source Data Trend
The Log Source Data Trend tab displays the graphs of incoming Syslog Data rate in MB from all sources over the last 24 hours. The top graph displays Realtime
Logs, and the bottom graph shows File Transfer Logs. Log data that has been fully indexed is represented by blue bars; log data to be indexed is represented by orange bars. The bar graphs refresh once per minute.
To view log source data trend
1. Choose Dashboards > Log Source Data Trend from the navigation menu.
2. View the Syslog data from all sources within the last 24 hours as shown below.
User Guide
Managing Your Dashboard |
39
Managing Your Dashboard
The My Dashboard menu allows you to customize your Dashboard with visualizations, known as “widgets”, representing Report Results, Search Results,
Alerts, and Appliance performance. For example, If you have an Index Search showing web surfing activity within the Intranet, this data can be presented on your Dashboard using the Trend Graph widget, and refreshed periodically with recent data from an Index Search.
The system admin can specify the maximum number of widgets that can be displayed on your Dashboard using the Administration > System Settings >
General
tab.
It is possible to exceed the recommended number of widgets (10) on your My
Dashboard. However, graphical errors may result in the data displayed. Similarly, if you set the amount of data to be displayed inside each widget beyond the recommended value of 10, graphical errors may result.
Widget Types
You can create different types of widgets to add to your dashboard canvas. The different types are:
•
Summary
: Displays top 10 results from any Report saved with the
“
Summarized” option. It also displays All Index Reports as well as Index
Searches that are grouped by option (except grouped by Time). For details, see
Managing Summary Widgets on page 41
.
•
Trend
: Displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month. For details, see
Managing Trend Widgets on page 44
.
•
Alerts
: Displays recent triggered alerts matching your specified filters. For
details, see Managing Alert Widgets on page 47 .
User Guide
40
| Chapter 2 Viewing Dashboards
•
System
: Displays Network and File based data ingest trends, Disk usage, and
CPU usage utilization. For details, see Managing System Widgets on page 49 .
1. The widget list is only populated by reports. Therefore, you must save a report before you can create a widget.
2. Imported Compliance Suites are templates and not reports. Hence, you need to save one in order to populate in the Widget list.
3. Widgets show data from time periods as specified (Once every few hours, Once a day, Once a week, and Once a month). The widget data is refreshed after the time period has completely passed. For example: If you specify Once a day time frame, and feed data at 2:17pm, the widget data will be refreshed after midnight.
Similarly, if you specify Once a week time frame, then the widget data will be refreshed after Sunday midnight.
4. Widget report is always executed according to its schedule. Only when a widget is first created, and added to dashboard, the widget report execute outside the schedule. Therefore, If you wish to modify a widget report schedule, first delete the widget, and then re-create a new widget with new schedule.
About My Dashboard
By default, the dashboard canvas displays some pre-configured widgets. The
Widgets
link enables you to add widgets to your dashboard. A new widget is always added on the upper left side on your dashboard canvas. If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again. For detailed information about widgets, see
.
The NAS/SAN Disk Usage widget will display only on the ST Appliance.
To view your dashboard
1. Access Dashboards > My Dashboard from the navigation menu.
2. View your My Dashboard canvas as shown below.
Managing Widgets
The Dashboard is highly customizable with widgets and data of your selection.
The Widgets link allows you to view and add existing widgets to your dashboard, create new widgets, edit existing widgets settings, or remove widgets from the system.
User Guide
Managing Your Dashboard |
41
Using the drag-drop method, you can change the position of widgets on your
Dashboard. Click and drag the widgets title bar to move a widget to a new location on the canvas. You can also resize any widget by pulling the bottom side of the widget. The system automatically saves your latest widget positions with your LogLogic User Account.
Depending on the widget type, some widgets display different buttons on the upper right corner of the widget.
lists and describes the widget buttons
Table 9 Widget buttons
Button Description
Shows the toolbar for that widget. Using this toolbar, you can view different presentation options of the selected report. For example, for Summary widget, you can choose to view Column chart, Bar chart or Table format.
Displays the widget in full screen view. If it is already in full screen view, this will restore the widget to normal size.
Displays the widget’s existing settings. Click the button to open the Edit widget settings window. This allows you to change the widget’s existing settings.
Removes the widget from your Dashboard. However, the widget is still available in the widget list to use on other dashboards.
Select the color of the widget ‘s graph from a color palette.
Note
: From the widget toolbar, this button is available only for certain widget types.
By default, widgets are created exclusively for your use. However, you can share your widgets with others by checking Shared option on the widget's settings screen. Sharing Report and Search widgets improves system performance, since the underlying data used for the visualization only needs to be created once for all
Dashboard views of the Widget.
Managing Summary Widgets
The summary widgets provides focused visualization of first 10 records returned from the underlying Saved Report query.
User Guide
42
| Chapter 2 Viewing Dashboards
If you click , the report displays more view options such as Column Chart, Bar
Chart, Table, Axis Label, and Drilldown. The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range.
Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.
For more information on other widget buttons, see
.
To add an existing summary widget to your dashboard
If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
To create a new summary widget
To create a summary widget, you must have the Reporting privileges. For more information about privileges, see Managing Users in the LogLogic Administration
Guide
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Summary icon. A list of existing summary widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
4. Enter the Name and Description of the widget.
5. Select a report from the Report list as explained in
.
User Guide
Managing Your Dashboard |
43
6. Specify a Timeframe as explained in Table 9 .
Table 10 Summary Widgets Elements
Element
Name
Description
Name of your widget that is displayed on the widget Title bar.
Description Description of your widget.
Shared Select the checkbox if you want to share your widget with others.
However, only the creator can edit this widget settings.
Selected
Enter text to filter
Displays the selected report from the Report list. When the report is not selected, None is displayed.
Enter the text to filter Report list and then press Enter.
Report list By default, the following columns are displayed:
Type--the report template type, for example, User Access
Name--the name of the report
Description--the description of the report
Click on the column heading to sort the table by that column to view in ascending or descending order.
Timeframe section
Run Specify the time frame to refresh the widget’s report results. The options are:
Once every few hours
Once a day
Once a week
Once a month
Note
: Depending on the above selected Run option, the corresponding following fields may change. For example: If you select Once a week option, specify time, and day of the week.
Specify the appropriate intervals.
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the widget to your dashboard.
Or,
Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.
User Guide
44
| Chapter 2 Viewing Dashboards
To edit an existing summary widget’s settings
Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list.
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings.
The
Save & Add to Dashboard
button is available only when the widget is not on your dashboard
.
Managing Trend Widgets
The Trend widget displays a trend of Index Search “hits” occurring over a period of 1 day, 1 week or 1 month.
If you click , the report displays more view options such as Column Chart, Line
Chart, and Drilldown. The Drilldown button takes you to the actual report page where you can run the report with the same log sources. The time frame on the widget is defined separately than the actual report’s time range. Similarly, when a widget is shared and if you don’t have similar privileges as the widget owner, you may not be able to view the same data as displayed in the widget.
For more information on other widget buttons, see
.
Figure 1 Trend Widget Example
User Guide
Managing Your Dashboard |
45
Trend widgets allow you select a time range and zoom in to the data. When you specify a time range on the widget, the Drilldown option will use the same time range to display the report. If the chart is zoomed in, the zoomed time range will be used if you click the Drilldown option.
Figure 2 Trend Widget Zoomed in time range Example
To add an existing trend widget to your dashboard
If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
To create a new trend widget
To create a trend widget, you must have the Index Search privileges. For more information about privileges, see Managing Users in the LogLogic Administration
Guide
User Guide
46
| Chapter 2 Viewing Dashboards
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Trend icon. A list of existing trend widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
4. Enter the Name and Description of the widget.
5. Select a saved search from the Search list as explained in Table 11
.
6. Specify the Trend Range as explained in Table 11
.
Table 11 Trend Widgets Elements
Element
Name
Description
Name of your widget displayed on the widget Title bar.
Description Description of your widget.
Shared Select the checkbox if you want to share your widget with others.
However, only the creator of the widget can edit the settings.
Selected
Enter text to filter
Displays your selected search. When the search is not selected,
None is displayed.
Enter the text to filter the saved search settings and then press
Enter
.
Search List By default, all these columns are displayed:
Type–the report template type, for example, User Access
Name–the name of the report
Description–the description of the report
Click on the column heading to sort the table by that column to view in ascending or descending order.
Trend Range section
Tiimespan Specify the timespan from the drop-down menu. The options are:
• 1
Day
• 7 Days
•
30
Days
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click Add to Dashboard button to add the
User Guide
Managing Your Dashboard |
47
widget to your dashboard.
Or,
Click the Save & Add to Dashboard button to save the settings and add the new widget to your dashboard.
To edit an existing trend widget’s settings
Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list.
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings.
The Save & Add to Dashboard button is available only when the widget is not on your dashboard.
Managing Alert Widgets
The Alert widget displays recent triggered alerts matching your specified filters.
If you click , the report displays more view options such as Enable, and Disable.
For more information on other widget buttons, see
.
To add an existing alert widget to your dashboard
If a widget is already added to the dashboard, you cannot add the same widget to the dashboard again.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.
3. Select the widget from the list. The widget’s settings are displayed for your review in the third pane.
4. Click the Add to Dashboard button to add the widget to your dashboard.
User Guide
48
| Chapter 2 Viewing Dashboards
To create a new alert widget
To create an alert widget, you must have the Manage Alerts privileges. For more information about privileges, see Managing Users in the LogLogic Administration
Guide.
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the Alerts icon. A list of existing alert widgets, if any, is displayed in the second pane.
3. Click the Create New button to create a new widget. The new widget settings pane appears as shown below.
4. Enter the Name and Description of the widget.
5. Specify how to show alerts based on Type & Priority or Custom selection as
6. Specify number of alerts from the Show most recent list as explained in
.
Table 12 Alerts Widgets Elements
Element
Name
Description
Specify the name of your widget displayed on the widget Title bar.
Description Specify the description of your widget.
Shared Select the checkbox if you want to share this widget with others.
However, only the creator can edit this widget settings.
Only show section
Type & Priority
Custom Selection
Selected
Available
Select this option to specify the type of system and priority. Click the checkbox to select the priority level.
Select this option to specify alerts from the existing list.
Once you select the alert rule from the Available list, it appears under this column.
Displays list of available alert rules. Select the alert by clicking the appropriate alert rule name (or names). This allows you define certain triggered alerts on your dashboard.
User Guide
Managing Your Dashboard |
49
Table 12 Alerts Widgets Elements (Cont’d)
Element
Show most recent
Description
Specify how many alerts to be displayed in the widget. The options are:
• 10 A lerts
• 25 Alerts
• 50 Alerts
•
100
Alerts
7. Click the Save Settings button to save the widget’s settings. The widget is now listed in the saved widget list. Click the Add to Dashboard button to add the widget to your dashboard.
Or,
Click the Save & Add to Dashboard button to save and add the new widget to your dashboard.
To edit an existing alert widget’s settings
Only the creator of the widget can edit that widget’s settings.
1. Select a widget from the saved widget list.
2. Make the appropriate changes.
3. Click the Save Settings button to save the new settings..
The Save & Add to Dashboard button is available only when the widget is not already on your Dashboard.
Managing System Widgets
The System widget displays four pre-defined widgets: Network-based Data
Ingest, File-based Data Ingest, Disk Usage
, and CPU.
For more information on widget buttons, see Table 9 on page 41 .
If you click the Show Toolbar button, the report displays more view options such as Hour range from 2 Hr, 6 Hr, and 12 Hr. For more information on other widget buttons, see Table 8 on page 34.
User Guide
50
| Chapter 2 Viewing Dashboards
To add a system widget to your dashboard
1. Access Dashboards > My Dashboard > Widgets from the navigation menu.
2. Click the System icon. The pre-defined widgets are displayed in the second pane.
3. Select the widget by clicking on the name from the list of pre-defined widgets to view the details in the pop-up window.
4. Click the Add to Dashboard button. The widget is added to your dashboard. .
If a widget is already added to the dashboard, you cannot add the same widget to the Dashboard again.
Defining your Dashboard Canvas Settings
You can specify the number and size of columns on your Dashboard canvas.
To define your dashboard canvas settings
1. Access Dashboards > My Dashboard from the navigation menu.
2. Click the Dashboard link. The Edit dashboard settings window appears as shown below.
3. Specify the number of columns from the column layout options. The options are: One Column, Two Columns, or Three Columns.
4. If you select Two or Three columns option, specify the width of the column by dragging the slider to the desired width.
5. You can preview your column settings in the Preview window.
6. Click Save Settings to save your Dashboard settings. The widgets on your
Dashboard are rearranged as per the new Dashboard settings.
User Guide
Chapter 3
Viewing Real Time Log Messages |
51
Viewing Real Time Log Messages
The Real Time Viewer provides a scrolling display of log messages from all log sources as the Appliance receives them. You can either filter messages or view all log messages unfiltered as they arrive.
Real Time Viewer displays log messages only for syslog log sources, not for file transfer or database log source types (including log messages forwarded using
LogLogic TCP).
Topics
•
Accessing and Selecting Real Time Messages to View on page 52
•
Viewing Log Messages in Real Time on page 56
•
Java Security Settings on page 57
User Guide
52
| Chapter 3 Viewing Real Time Log Messages
Accessing and Selecting Real Time Messages to View
The Real Time Viewer shows an immediate scrolling display of log messages as they are received by the Appliance.
To access the Real Time Viewer:
Choose Search > Real Time Viewer from the navigation menu.
Element
Saved Custom Report
Device Type
Source Device
Table 1 Real-Time Viewer Tab Elements
Description
Select a Custom Report from the drop-down menu.
If you do not have any saved Custom Reports, this field is grayed out. This option is useful to view real-time data with the specified parameters from your saved filter for a specific
Appliance.
Devices associated with the Appliance.
Highest Severity
IP address of the selected Device Type.
The drop-down menu contains the devices connected to the
Appliance.
Specify the selection of a set of syslog messages by their highest severity. Select this checkbox to filter the syslog messages of that severity.
User Guide
Accessing and Selecting Real Time Messages to View |
53
Element
Search Filter
Save Custom Report
Table 1 Real-Time Viewer Tab Elements
Description
Define an expression used to limit information displayed from the devices.
Filter options are:
• Pr e-Defined—The drop-down contains pre-defined search filters that you manage in the Search Filters tab.
•
Us e Words—The components of messages. The maximum character length of the Use Words field is
125.
For example, userIDs like cjreid, or parts of IP addresses like
192.
• Use Exact Phrase—A component of a syslog message that are not randomly linked but form a fixed string, for example, a specific URL or
Authentication rejected:, keyboard-interactive for root. The maximum character length of the Use
Exact Phrase field is 250.
• Regular Expression—A regular expression is a tool comprised of characters and symbols, that enable the search to identify patterns retrieved the storage database. The maximum character length of the
Regular Expression field is 250.
For example:
User .* connected, \>su:.*(to root), amd sshd.*Accepted.*for root from
Define and save frequently used search criteria for future use to execute a report against your real-time logs more quickly.
Novice users can run reports with complex search criteria with minimal input.
Specify the following information:
Report Name—A name for the report.
Report Description—A brief description for other users to understand the type of information that this report generates.
Share with Other Users
checkbox
The default, Share with Other Users option lets you make this
Custom Report accessible for other users logging in to this
Appliance.
Click to save your changes.
User Guide
54
| Chapter 3 Viewing Real Time Log Messages
Element
Table 1 Real-Time Viewer Tab Elements
Description
Runs the filter and display the real-time log view.
To run the Real Time Report
7. Designate which messages to view in real time. You can pre-filter messages by source device, message severity, and text matches.
8. Click the Run button.
The Real Time Viewer appears, displaying messages meeting the filter criteria as the Appliance receives them.
When you leave the Real Time Viewer and return to it later, the content in the
Viewer restarts upon your return. Messages from the previous Viewer instance are not retained in the new Viewer instance.
To run a previously saved report in the Real-Time Viewer:
1. Choose Search > Real Time Viewer from the navigation menu.
2. Select the report from the Save Custom Report drop-down menu.
3. Click the Run button.
To specify parameters to run a new report in the Real-Time Viewer
4. Choose Search > Real Time Viewer from the navigation menu.
5. Select the device type.
6. Select the source device connected to your Appliance.
7. Choose the severity level. To specify the highest level, check the Highest
Severity
checkbox.
8. Type your search criteria to limit information displayed from the device(s).
9. Click the Run button.
To save a Custom Report in the Real-Time Viewer
After specifying the parameters for your report, save the report:
1. Click to expand the Save Custom Report section.
2. Type a name for your report and provide a brief description.
User Guide
Accessing and Selecting Real Time Messages to View |
55
3. If you do not plan to share the report with other users logging in to the
Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.
4. Click the Save Report button to save your changes.
User Guide
56
| Chapter 3 Viewing Real Time Log Messages
Viewing Log Messages in Real Time
Based on your selections in the Real-Time Viewer tab, the Real-Time Viewer:
Log Messages
tab shows a scrolling view of log messages in real time as they are received by the Appliance. The messages shown are determined by your input in the Real-Time Viewer tab Search Filter section.
If you need to scroll through the incoming messages, click Pause. However, messages that arrive while the view is paused are skipped by the view; they do not get displayed when you resume.
Table 13 Real-Time Viewer: Log Messages Screen Elements
Element
Selected Device
Description
Displays the Appliance source device name for the selection in the Real-Time Viewer Filter form.
Status Status of the Real-Time Viewer display.
Stops the real-time view of the incoming log messages.
If you pause the view, Real-Time Viewer skips incoming messages until you click Resume. The number of skipped messages is displayed next to Status: Paused.
Starts the real-time view of the incoming log messages.
Deletes the view of the incoming log messages and refreshes the page.
Refreshes the view of the incoming log messages.
The number of lines to store in the buffer for viewing. The default is 10000. To change the buffer size, type the number of lines and click the Buffer Size button.
Returns the user to the Real Time Viewer page, where the existing settings can be viewed and changed. After your changes (or to keep the current settings) click the Run button.
User Guide
Java Security Settings |
57
Java Security Settings
After updating your version of Java, use one of the following procedures to allow the Real Timer Viewer to launched successfully. If these steps are not followed when you run the Real Time Viewer after a Java update its status will remain as
“waiting for connection”.
1. From Start > Control Panel select Java (64-bit).
2. In the Java Control Panel window select the Security tab.
3. Click the Edit Site List button, and enter your LMI IP Address and save.
The LMI will now be added to the exception site list and when you run the
Real Time Viewer the status will be Connection Established.
If Java (64-bit) doesn't exist then, follow the following steps:
1. From Start > Control Panel select Java.
2. In the Java Control Panel window select the Security tab.
3. Set the Security Level to the lowest which will allow all Java programs to run on your computer.
Modifying your Java settings
Used for Real-Time Viewer client connections. Uses Java applet; some versions of
Java will not work. Java 1.8.0.x is recommended.
Note: If you are running java 1.8.0_x, you will need to:
1. As administrator, update your file C:\Program Files
(x86)\Java\jre1.8.0_31\lib\security\java.policy
and grant the following permission to non-abbreviated IPv6 address: grant { permission java.net.SocketPermission
"fd00:0:0:0:0:aaaa:a73:1a3d:4514", "connect,resolve";
};
You can also add permissions to both abbreviated and non-abbreviated addresses: grant { permission java.net.SocketPermission
"fd00:0:0:0:0:aaaa:a73:1a3d:4514", "connect,resolve";
}; grant { permission java.net.SocketPermission
User Guide
58
| Chapter 3 Viewing Real Time Log Messages
"fd00::aaaa:a73:1a3d:4514", "connect,resolve"; };
The IP address should be replaced with the IP address of your appliance.
2. In Control Panel > java > Security add the following to the exception list: https://[fd00::aaaa:a73:1a3d:4514]:443, where
"fd00::aaaa:a73:1a3d” is your appliance IP https://[fd00:0:0:0:0:aaaa:a73:1a3d:4514]:443, where
"fd00:0:0:0:0:aaaa:a73:1a3d:4514” id the non-abbreviated version for your appliance IP
Appliance IP Address can be either IPv4 or IPv6. Both are supported.
User Guide
Chapter 4
Searching Collected Log Messages |
59
Searching Collected Log Messages
As the Appliance collects log data from your log sources, you can search on those collected log messages. In addition to running various simple and complex searches, you can define search filters and run reports.
Pre-defining search filters lets you include specific search criteria in an Index
Search, a Regular Expression Search, the Real Time Viewer, and All Saved
Searches without having to re-enter the filtering criteria each time.
Viewing archived data files lets you reload and open older, compressed log data for viewing on an Appliance.
Topics
•
•
•
Tag-Based Searches Using the Tag Picker Interface on page 78
•
Using Regular Expression Search on page 79
•
Using Search Filters on page 86
•
Viewing All Saved Index Searches on page 95
•
Using and Creating All Index Reports on page 96
For details on Boolean expressions, Regular Expression usage, what gets indexed, and available delimiters, see the Search Strings topic in the Online Help.
User Guide
60
| Chapter 4 Searching Collected Log Messages
Search Overview
LogLogic provides search and reporting tools for finding specific information in collected log message content. The tool you use varies depending on the task you want to perform.
• Index Search
—
Search on indexed log source messages using a Boolean expression and see the results immediately. Use Index Search when a simple, fast search can provide the information you need to analyze failures or other anomalies.
• Regular Expression (RegEx) Search
—
Search using a single regular expression or pre-defined search filter, either immediately or at a scheduled time.
• Real Time Viewer
—
The Real-Time Viewer shows an immediate scrolling display of real-time log messages as they are received by the Appliance. The options form allows for pre-filtering of these messages by log source or device group, message severity, and text matches. Only log messages meeting the filter settings are shown. See
Viewing Log Messages in Real Time on page 56
.
• Index Report
—
Generate a report based on indexed data using pre-defined
Boolean search filters. Essentially, an Index Report is a compilation of multiple
Index Searches run at once. You can specify one or more pre-defined filters to use, and add additional criteria to those filters.
Table 14 Search and Reporting Feature Comparison
Feature
Index
Report
Multiple filters in search
Boolean Expressions
Regular Expressions
Graphical Results Available
Graphically view trends over time or log sources
Schedulable Search
Save customized search criteria for future use
Yes
Yes
No
Yes
No
No
Yes
Index
Search
No
Yes
No
Yes
Yes
No
No
Yes
No
No
RegEx
Search
Yes
No
No
Real
Time
Viewer
Yes
No
No
Yes
Yes
Yes
No
Yes
User Guide
Search Overview |
61
Table 14 Search and Reporting Feature Comparison
Feature
View finished/past search results
Index
Report
No
Index
Search
No
RegEx
Search
Yes
Real
Time
Viewer
Yes
For a simple search to match a specific string, use Index Search. To search for strings that match more complex patterns, use RegEx Search.
User Guide
62
| Chapter 4 Searching Collected Log Messages
Using Index Search
Use Index Search to perform targeted searches on log messages using keywords,
Boolean expressions, and wildcards on the Appliance or log sources. Index Search lets you pinpoint problem areas on all log sources captured on the Appliance and then view the search results quickly.
Due to the dynamic nature of LogLogic reporting, when paging between the last page of search results and other pages, additional messages matching the search criteria might have been received since the initiation of the original search. As such, you might see additional messages included on subsequent visits to the last search results page.
Index Search works on indexed logs making it faster than a search using regular expressions (RegEx search). By default, the Appliance performs an Index Search on the Appliance itself and all log sources collected on the Appliance in the last hour.
Search Expression Rules
The following rules apply when you enter a search expression:
• Use Boolean operators, such as AND, OR, or NOT for your search expression
(but do not begin the expression with leading NOT)
• Use wildcard characters, such as an asterisk (*) or question mark (?) to match strings (but do not begin the expression with the wildcard)
• Do not use < or > as these are not valid characters
• Use delimiters such as parentheses to tell Index Search what to evaluate first
• Enter up to 256 characters for your search expression
• When using Index Search and Tag Based search, the system does not support the use of search patterns shorter than 3 characters
Index Searches are case insensitive, so you do not have to use all uppercase letters when using Boolean operators, although it helps readability. Some simple Index
Search examples include:
Table 15 Index Search Examples
Index Search Example
tcp
Rule
Use search expressions containing at least three characters.
User Guide
Using Index Search |
63
Table 15 Index Search Examples (Cont’d)
Index Search Example
authenticate AND failed
Tcp NOT Udp admin*
10.*
Rule
Use Boolean operators, such as AND, OR, or NOT.
(tcp and udp) and service
Use wildcard characters such as an asterisk (*) or a question mark (?) as shortcuts to match strings.
Note
: Wildcard character Index Search on IPv6 addresses will only work if the asterisk or question mark is at the end of the address. As shown below it will not work if the wildcards are used anywhere else in the address:
2001:db8::ff00:42:83??
2001:db8::ff00:*:8329
2001:db8::ff0?:42:8329
2001:db8::ff0*:42:8329
2001:db8::????:42:8329
Use a delimiter such as parentheses to specify what gets evaluated first. In this example, tcp and udp will be evaluated before the service keyword.
For details on Boolean expressions, search strings, and available delimiters, see the Search Strings topic in the Online Help.
Running an Index Search
Index Search is available on all Appliances. By default, the Appliance performs an
Index Search on the Appliance itself and all log sources from which logs were collected on the Appliance in the last hour. You can search using these defaults or change them.
To run an Index Search from the Index Search Interface
1. Access the Index Search page from home: Search > Index Search.
2. Enter your search expression in the search text box and click the Run button.
Do not use < or > in your search expression as these are not valid characters.
If you want, you can adjust the search scope and rerun the search by selecting specific log sources and/or a different timeframe.
User Guide
64
| Chapter 4 Searching Collected Log Messages
Selecting Specific Log Sources
To perform a more targeted search, you can narrow the search scope to a group of log sources, such as all firewall interfaces, all routers, all General Syslog,
Microsoft sources, other UNIX, or LogLogic Appliances.
The default rule is set as All Sources except LogLogic. This includes all logs except LogLogic Appliance logs. You can add any individual and/or group of non-LogLogic sources to this rule. However, if you specify any other log source, other than LogLogic source, the default rule will be removed from the filter list
(from the left pane) and the new log source is added. This enhancement applies to only system-defined groups and not the user-defined groups. For example, if you select a user-defined group that only includes LogLogic source, then the default rule will be removed.
On the Management Station, you can select from one managed Appliance or all
Appliances, or particular groups of Appliances (for example, all LX Appliances or all ST Appliances) on which to run the search. The Choose Device pop-up automatically populates the log sources included on all defined groups.
When Appliance selection is
“
All
”
,
“
All LX/MX
”
, or
“
All ST
”
, only system defined groups (e.g. All Cisco PIX) and user defined global groups that reside on the management station will be displayed.
To run a targeted Index Search
1. Click the All Sources except LogLogic button to open the Select Source(s) window.
2. Select log sources from the Add Log Sources pane. You can select sources by
Appliance, and filter by Name, Collector Domain, IP Address, Group or Type.
a. If you picked “Name”, enter a Source Name, a specific Device Name or a
Name Mask. Wild cards are accepted in this field.
b. If you picked "Collector Domain", enter the name of the Collector Domain.
This is the name used to identify each message sent from a specific device.
c. If you picked “IP Address”, enter a Source IP Address, a specific IP
Address or an IP Address Mask. Wild cards are accepted in this field.
d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.
e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box
User Guide
Using Index Search |
65
When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.
3. Click << Add filters as a rule.
4. Enter a name for the dynamic rule in the pop-up window and click OK.
5. Click on the sources you want in your report and then click << Add selected
log sources
to add the selected devices and filters to the left-hand pane.
6. Click Set. The new Index Report search selection appears in the Sources row.
The Index Search Sources field displays the newly added log sources.
Select Time Frame for an Index Search
To select time frame for an Index Search
1. Click the calendar icon (to the right of Last Hour) to launch the Date and Time
Range Picker
.
2. Select a preset time interval by clicking the down arrow to the right of Last
Hour, or pick a timeframe from the pop-up calendar. Click Set.
3. Click Run.
4. At the Search pop-up, select whether you want to retrieve all messages. Click
Yes
. After a few moments, the Index Search results will be displayed.
Using the Search Results Tab
Viewing Index Search Results
Index Search results are displayed in the Search Results tab and the keywords you entered are highlighted in different colors.
For example, when entering login AND user as your Boolean expression, the
Search Results
tab shows the first keyword “login” in yellow and second keyword “user” in turquoise.
User Guide
66
| Chapter 4 Searching Collected Log Messages
Figure 3 Viewing Index Search Results
User Guide
The UI uses several different colors to highlight search keywords after which it repeats the same color scheme.
In the results tab the Collector Domain will be displayed in one of two ways:
• For Collector Domains specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed in the Name field.
For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10._windows.
• For Collector Domains specified in LMI (Managment>Devices>AddNew) the
Collector Domain name will be displayed in the Collector Domain field.
To view search results using different view options
1. From the top right of the Index Search screen, click the View drop-down menu to open different view options. The options are: Reset to Default, Show
Timeline, Hide Meta Header, View by, Chart Type.
2. The Search Results view options are:
Table 16 Index Report Search--View options
Element
Reset to Default
Description
Resets to default settings.
Show Timeline Select this checkbox to show timeline graph.
Using Index Search |
67
Table 16 Index Report Search--View options
Element
Hide Meta
Header
Description
Select this checkbox to hide the metadata header information.
View By Select the option to view by Time or Device type.
Chart Type Select the type. The options are Bar chart or Line chart.
Configuring Search Results Settings
To configure Search Results settings
1. From the top right of the Index Search page, click the Options button. The
Columns and Grouping window appears as shown below.
2. Optionally, enter a filter keyword in the Keyword field to narrow the displayed columns in your report.
3. Select the appropriate Column Name by clicking in the checkbox to include or exclude that column from your report. You can change the column name by clicking on the name. The column name field becomes an editable field allowing you to make the changes.
If you enter the same column name for two columns, the Index Search Results page displays the results for those two columns merged into one column.
4. Click or to move the selected column.
5. Choose the Display options.
Table 17 Display Options
Element
Raw
Description
Select this option to display Index Search Results in time-increasing order.
Grouped Select this option to display Index Search Results grouped by the selected column.
User Guide
68
| Chapter 4 Searching Collected Log Messages
Table 17 Display Options
Element
Group By
Description
Choose the appropriate column to display group search results from the drop-down menu. The default options are:
• Ti me
• Device IP
• Device Source
• Facility
•
Seve rity
You can add more columns by creating custom tags using Log
Labels. See Device Types online help video tutorial for instructions.
Time Interval This option is enabled when you select to Group By Time. The results are grouped based on the specified time interval. Select the
Time Interval from the following options:
• Ev ery 5 Minutes
• Every 30 Minutes
• Every Hour
• Every 3 Hours
• Every 6 Hours
• Every 12 Hours
• Every Day
•
Ever y Week
Sum By This optional setting allows you to add the numerical value of the selected column so that Search Results Summary displays the sum value of the grouped column instead of the count of message instances.
Aggregation Size Select the option from the drop-down menu. The results will be sorted based on the selected option. The options are:
• Top 1
• Top 5
• Top 50
• All
6. Click Apply to apply the new settings. The Index Search Results page displays the refined search results.
User Guide
Using Index Search |
69
Managing Search Results
The Search Results tab provides a toolbar with several options for managing
Search results.
Table 18 Search Results Tab Toolbar Elements
Element Description
Collapses and condenses the results display view.
Clip Selected message(s)
Number of
Indexed Pages
Allows you to view selected message in relation to all others in
your Index Search results. For details, see Viewing Index Search
Create a new log message pattern with the selected message.
Highlight a message in the Search Results and click the Create
Message Pattern
button. The Message Pattern Editor is displayed, which can be used to select a particular message from a particular device and then create a pattern based on the parameters of that message for use in further searches. For detailed instructions, see online help tutorial or Creating Message
Signatures chapter in the LogLogic Administration Guide.
From the drop-down menu use the default clipboard, a saved clipboard, or create a new clipboard to save results.
Saves the results. You can choose to Save or Save as from the drop-down menu to save your results. You can update your saved results using the Save as option, see
Saving Search Results on page 70
.
Get the total number of indexed messages on the indexed search results. This is particularly useful for large volumes of log messages as it lets you go through matched messages one page at a time. To page through the results, click the next arrow; to return to the previous page click the previous page arrow. You can also return to the first page or go to the last page by clicking on the first and last page arrows accordingly. The total results number is automatically updated when you select the Show Timeline graphical view.
Displays context-sensitive help.
User Guide
70
| Chapter 4 Searching Collected Log Messages
Viewing Index Search Results In Context
When analyzing log events, you can select a particular message and see the log messages that immediately preceded or followed the message from your search results.
The In Context tab appears only after the first time you click the results toolbar.
icon in the search
To view a particular log message in context
1. On the Search Results tab, select the message that you want to view and then select the icon.
The In Context tab appears (next to the Clipboard tab) and the message you selected is immediately displayed in the Search Results tab.
2. By scrolling down on the page, the affected log message is highlighted in blue to show its relationship to the log messages that preceded this condition as well as those that occurred after this message.
3. Click the appropriate button to save the report. You can choose to save
results in CSV, PDF, or HTML
format.
Saving Search Results
You can download Index Search results to view immediately or save them in CSV,
PDF, or HTML
formats. These buttons are located on the left side of the Save button. After few moments, the report in your chosen format will appear.
Table 19 Save Search Results
Output
CSV
Description
Use Microsoft Excel or other spreadsheet program to display
Index Search results in a spreadsheet. By default, search results are written to SearchExpressionHits.csv and saved on the desktop.
PDF Use Adobe Acrobat Reader to display the Index Search results. By default, search results are written to report.pdf and saved on the desktop. The first page incudes a table of contents with links to the query used for the Index Search and the results table.
User Guide
Using Index Search |
71
Table 19 Save Search Results
Output
HTML
Description
Opens a new tab in your Web browser and immediately displays HTML Index Search results as a LogLogic report. The
HTML results include a table of contents with links to the query used for the Index Search and the results table. By default, the downloaded results are saved as
LogLogicReport.zip in a temp folder on the local drive. You can use your own company logo on the report, see the General tab under System Settings.
To save search results report
1. Click Save As option from the icon drop-down menu to save the report.
You can update the saved report by using the Save option. The Save As
Report
window appears.
2. Enter the name and description of the report in the Name and Description fields respectively. The Name field is a mandatory field.
Do not to use any special characters in the Description field when saving the
Index report.
3. Select the Suite option from the drop-down menu.
4. Select the Share? checkbox if you want to share the report.
5. Select the desired print option. For Grouped Search, the options are: Print
Summary Report
or Print Detailed Report.
6. Click Save to save the results.
Viewing Trends
After running Index Searches, you can use the View menu to view search results graphically using the timeline option. The trend output you see is based on your chosen time range and chosen devices referenced by the Index Search and always includes only the messages and devices for that distribution.
The trend feature can be a powerful tool during your analysis of certain events and lets you see trends for certain activities by Time and Device.
Each option lets you view timeline data in either bar chart or line chart format.
These charts show:
• the time or device on the x-axis
User Guide
72
| Chapter 4 Searching Collected Log Messages
• the total number of messages on the y-axis
The procedure for viewing trends over time and by device is the same.
To view trends over time
1. Click the View drop-down menu and then select the Show Timeline checkbox.
A timeline chart displays below the search text box. You can immediately see the distribution of messages over time and begin to get a sense of trends in the timeline chart.
By hovering the mouse over an affected bar, you can get the total number of messages matching your search expression at that particular point in time.
Figure 4 View Menu – Viewing Trends by the Timeline Bar Chart
For example, in the figure below you can see that 39 log message instances at
11:30 in the morning. The scale on the x-axis shows the total number of messages while the y-axis shows the time distribution of those instances.
Figure 5 Zooming In to the Timeline Bar Chart
User Guide
2. To zoom in on a particular area of interest, press and hold the left mouse button and drag over the area of interest.
This refreshes the timeline view to show the zoom area in more detail.
Using Index Search |
73
Figure 6 Timeline Detail
3. To return to the original view, click Zoom Out.
4. To view the same search in line format, select Chart Type > Line Chart from the View menu.
This displays the results in a line chart format. From this view, you can see spikes in the number of messages that match the keyword “login”.
Figure 7 Viewing Trends by the Timeline Line Chart
Similarly, to view the same Index Search by log source, select View By > Device from the View menu.
Using the Search History Tab
Each time you run an Index Search, your search criteria are automatically saved on the Search History tab. The Search History tab includes:
• Only those Index Searches with valid search criteria.
• User-specific Index Searches, which can be shared when saved as a search filter.
• Most recent searches on the top of the list
User Guide
74
| Chapter 4 Searching Collected Log Messages
You can configure the search entries displayed (rows/page) on the Search
History
tab through the admin > Your LogApp Account tab (see Viewing Your
Saving an Index Search as a Filter
While search histories are user-specific, you can save an Index Search as a search filter. You can use these saved search filters yourself or you can share these saved search filters with other users of the Appliance.
To save an Index Search as a search filter
1. Click Search History to see the history of Index Searches.
2. Select the saved Index Search message and then click the
The Save As Filter dialog box is displayed.
3. Enter a name, description and expression for the filter.
button.
Do not use < or > in your search expression as these are not valid characters.
4. The filter name and description helps you and other users to quickly understand the type of information that generates when running this Index
Search.
5. If you want to share this filter with other users, click the Shared with other
users
checkbox.
6. Click Add.
The Index Search is saved as a filter. You can use the filter in two places:
— Search > Index Search > Search Filters tab
— Search > All Search Filters tab
Running a Previously Saved Search Expression
Since your Index Searches are automatically saved for you on the Search History tab, you can browse through these previously saved sets of search criteria and run them again.
To run a previously saved Index Search
From the Search History tab, select the saved Index Search that you want to run and then click .
User Guide
Using Index Search |
75
Using the Search Filters Tab
The Search Filters tab lists all saved search filters created on the Search History tab. The Search Filters tab includes the button in the toolbar making it convenient to run a previously saved search filter.
The Search Filters tab organizes search filters by their name and displays the search expression used for the search filter in the Expression column.
All of your saved search filters show up on the Search Filters tab and on the
Index Report
tab.
To view or use a previously saved Index Search filter
1. Select the filter from the table and then click .
This copies the search expression and enters it in the search expression text box.
2. Press Enter to run the search filter.
This loads all the results of the search on the Search Results tab.
Using the Clipboard Tab
The Index Search Clipboard is an important tool for investigating and troubleshooting log events. For example, during your analysis of a certain event, you might find an item of interest in one or more log messages. Once identified, you can create a Clipboard and copy and paste the affected log message(s) onto the Clipboard.
•
•
You can create several clipboards until you have found everything you need to help you with your analysis as you drill down on the details. After saving clipped messages to the clipboard, you can view them on Clipboard tab and on the
Search Results
tab.
The Clipboard tab provides a toolbar with several options for using clipped messages. These options include:
•
- Adds a new clipboard
- Deletes one or more clipped messages
- Allows you view or edit the clipped message
Adding a New Clipboard
You can add a clipboard from:
User Guide
76
| Chapter 4 Searching Collected Log Messages
• the Search Results page
• the Clipboard tab
You can add up to 1,000 messages to a Clipboard. Each user is able to create up to
100 Clipboards.
The procedures are essentially the same for adding a new Clipboard. The next procedure shows how to add a Clipboard from the Search Results tab.
To add a new Clipboard from the Search Results tab
1. On the Search Results tab, select messages to add to the clipboard from the search results.
2. To select more than one message to add to the Clipboard, hold the Shift key as you click on each message.
3. From the Clip selected message(s) drop-down menu, select New Clipboard.
4. The Add Clipboard dialog box opens.
5. Enter a name for clipboard in the Name field.
6. If you enter an existing clipboard name, the messages are added to that existing clipboard.
7. Add a description for the clipped message in the Annotate field and click
Add
.
The clipboard is added to the Clipboard tab and it is also available from the
Search Results
tab. You can go back and view or edit the clipped message(s) later on to allow for more analysis.
Viewing or Editing Clipped Messages
After saving clipped messages and annotating them, you can view or edit clipboards on the Clipboard tab.
To view or edit clipped messages
1. On the Clipboard tab, select the clipboard that you want to view or edit and click .
User Guide
Using Index Search |
77
The Edit Clipboard dialog box appears. You can change the following:
— the Name of the clipped message
— the Annotation for the clipped message
— remove one or more clipped log messages
2. Modify the Name, Annotation, or remove log messages and click Update.
Deleting Clipped Messages
You can manage the clipboard table by deleting unwanted clipped messages.
To delete a clipped message
1. On the Clipboard tab, select the Clipboard you want to delete and click the
Delete
button.
2. To delete more than one clipped message, hold down the shift key and select the messages you want to delete and then click the Delete button.
The selected messages are deleted from the Clipboard tab.
User Guide
78
| Chapter 4 Searching Collected Log Messages
Tag-Based Searches Using the Tag Picker Interface
You may use the new Tag Picker Interface to access saved search terms in order to quickly run an updated Index Report.
To update an Index Report using the Tag Picker Interface
1. Access the Index Search page by going to home: Search > Index Search. Click the arrow below the text box labeled “
Enter your search expression...
“.
The Tag Picker Interface opens.
2. Select an Event Type and left-click. The selected Event Type appears in the
Enter your search expression...
text box.
3. Add a Boolean operator (AND) to the search expression, and left-click a saved
Field Tag. The selected Field Tag appears after the Boolean operator in the
Search Expression text box.
4. Add a wild card (*) to recall all saved Field Tags with that name. Click Run.
You can specify special characters such as spaces, forward-slashes (/) etc. inside the quotes for Field Tags. For example: Identity: “John Smith”; Domain: “domain name / JOHN SMITH”.
5. Select View and display the Bar Chart for the search expression.
6. Compare with the previous saved Index Search results for this expression.
User Guide
Using Regular Expression Search |
79
Using Regular Expression Search
Use the RegEx Search Filter tab to find specific types of data based on search expressions and time intervals you define. RegEx Search provides more powerful search filter options than Index Search, though RegEx Search can take longer to process and is less interactive.
To specify parameters for a new search
1. Select Search > Regular Expression Search from the navigation menu.
2. (Management Station only) Select the Appliance (or All Appliances) on which to run the search.
3. Select the Device Type.
4. Select the Source Device, or all devices, connected to the Appliance.
To view Global groups created on this Management Station, you must select
All Appliances under Appliance.
Devices with Collector Domain will be displayed in one of two ways:
— For Collector Domains specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed in the Name field. For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10_windows.
— For Collector Domains specified in LMI (Managment>Devices>AddNew) the Collector Domain name will be displayed in the Collector Domain field.
5. Specify the Time Interval which to search for data passing through your
Appliance.
6. Define your Search Filter. Select one of the following options and specify the respective parameters.
— Retrieve All—Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.
— Pre-Defined—Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple
User Guide
80
| Chapter 4 Searching Collected Log Messages parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.
— Use Words—Use a specific word(s) as a search parameter.
— Use Exact Phrase—Use an exact phrase as a search parameter.
— Regular Expression—Use a regular expression as a search parameter.
For more information about modifying or creating search expressions, see
Using Search Filters on page 86 .
7. Specify the Time Interval to search for data passing through your Appliance.
8. Set a time for the search; do one of the following:
— Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.
— Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.
9. Enter a Search Name for the search.
10. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.
11. To generate the report, click the Run button.
Concurrent Regular Expression Searches, apply only for Appliance models above the 1000 series. You can select the number of concurrent searches to perform. The default is one, but you can choose to perform two searches concurrently.
To generate a previously saved report
1. Select Search > Regular Expression Search from the navigation menu.
2. In the RegEx Search Filter tab, select the report from the Saved Custom
Report
drop-down menu.
— To generate the report, click the Run button.
— To export the report data to a file in CSV format, click the Save as CSV button.
To save a Custom Report
After specifying the parameters for your report, save the report:
1. Click to expand the Save Custom Report section.
User Guide
Using Regular Expression Search |
81
2. Type a name for your report and provide a brief description.
3. If you do not plan to share the report with other users logging in to the
Appliance, uncheck the Share with Other Users checkbox. By default, this checkbox is selected.
4. If packages are present on the Appliance, the Add Report to Package drop-down menu is visible letting you select a package in which to include this report.
5. Click the Save Report button to save your changes.
Using Distributed Regular Expression Search
Use Distributed RegEx Search to select individual Remote Appliances or all configured Appliances to run a RegEx search and retrieve the merged results from the Remote Appliances and the Management Station.
Prerequisites:
• Add remote Appliances — Refer to the “Creating a Management Station
Cluster” section in the LogLogic Administration Guide.
• The Admin must provide access to each of the remote Appliances for users to have access to the data on the remote Appliances. Access to Appliances is provided to users via the Appliances tab of the User Edit page. For more information about user privileges, refer to the “Managing Users” chapter in the LogLogic Administration Guide.
The Management Station and all Remote Appliances must have LMI v5.4.2 or newer installed.
To run a Distributed RegEx Search.
1. Select Search > Regular Expression Search from the navigation menu.
2. For a Distributed RegEx Search you must select All Appliances.
The Distributed RegEx Search does not support Custom Reports on the
Management Station.
3. Select the Device Type.
— If “All” is selected, the Source Device menu will allow you to select all devices or select a single device from the Management Station.
— Select from a list of device types configured on the Management Station
User Guide
82
| Chapter 4 Searching Collected Log Messages
4. Select the Source Device.
— If “All” is selected then logs from both the Management Station and
Remote Appliances will be returned.
Search results are based on the device name and will mostly be returned from the Management Station. However, if the Management Station and
Remote Appliances happen to have the same device name then the logs from both the Management Station and the Remote Appliance will be returned.
5. Define your Search Filter. Select one of the following options and specify the respective parameters.
— Retrieve All — Use to retrieve all log files collected during a specified time interval regardless of the defined search expression parameters.
— Pre-Defined — Select a pre-defined search expression (defined in/by search filters). All search filters you create appear in the drop-down menu as a pre-defined search expression. If the selected filter includes multiple parameter fields, a text field for each parameter appears. The maximum length for each field is 25 characters.
— Use Words — Use a specific word(s) as a search parameter.
— Use Exact Phrase — Use an exact phrase as a search parameter.
— Regular Expression — Use a regular expression as a search parameter.
For more information about modifying or creating search expressions, see
.
6. Specify the Time Interval to search for data passing through your Appliance.
7. Select the Notify me when this search completes checkbox to receive a notification that the search has completed.
8. Set a time for the search; do one of the following:
— Select the Schedule Search to Run Immediately checkbox to start your search of archived data immediately.
— Define a time to start the search of archived data. If the selected time is in the past, the search runs immediately. This search is useful if you know exactly which data source you want to search and do not need to search a time interval.
9. Enter a Search Name for the search. If a name is not entered in this field the results will be displayed as distributed search <date><timestamp>.
User Guide
Using Regular Expression Search |
83
10. To generate the report, click the Run button.
Only the Management Station Appliance can see the merged results from both the
Management Station and Remote Appliances. A Remote Appliance can only see its own local results.
Viewing Distributed RegEx Search Results
To view a list of all the searches that are currently running, see the Currently
Running Searches
table in the Pending Searches tab.
For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.
For Distributed RegEx Searches two results will be displayed on the Management
Station search page. This is because two searches were run on the Management
Station; one for the Management Station and one for the combined results from the Management Station and the selected Remote Appliances. The Remote
Appliances will only see their local results.
Figure 8 Finished Distributed RegEx Searches
Viewing Pending and Running Searches
The Pending Searches tab regularly refreshes to list all the pending and currently running RegEx and Distributed RegEx searches on the Appliance. To force a refresh, click the tab name.
Viewing Running Searches
To view a list of all the searches that are currently running, see the Currently
Running Searches
table in the Pending Searches tab.
User Guide
84
| Chapter 4 Searching Collected Log Messages
For each running search, this table lists the search schedule, timespan, name, owner, Regular Expression, and the approximate number of files processed, the total number to search, and the percentage completed.
To suspend a running search, check its checkbox and click the Stop button.
A suspended search stops processing; its partial results until that point appear in the
Finished Searches
tab.
Figure 9 Running and Pending RegEx Searches
Viewing Pending Searches
To view a list of all the searches that are scheduled to run, see the Currently
Pending Searches
table in the Pending Searches tab.
For each pending search, this table lists the priority for the search, its schedule, timespan, name, owner, Regular Expression, and an estimate of the number of files to search.
User Guide
Using Regular Expression Search |
85
To remove a pending search from the queue, check its checkbox and click the
Remove
button
. The re is no confirmation prompt for removing a pending search
.
To add a new RegEx search to the queue, click the Add New button
. The RegEx
Search
tab appears
.
Viewing RegEx Search Results
You can view pending, running, or finished searches in the Finished Searches or
Pending Searches
tabs under Search > Regular Expression Search. To force a refresh of the tab and view the latest finished searches, click the tab name.
Viewing Finished Searches
To view the search results for any searches that have completed, click the number of matches for the report in the Finished Searches tab list.
Figure 10 Finished RegEx Searches
To view the search results for a particular search, click its number of Matches.
To view or download the search results in HTML, PDF, or CSV, click the format extension in the Download Size column. (Clicking the size number downloads the results as a CSV file.)
To delete a past search from the Appliance, select its checkbox and click the
Remove
button
.
User Guide
86
| Chapter 4 Searching Collected Log Messages
Using Search Filters
Search filters are user-created filters (saved search patterns) that can be used in:
• Alerts
• Real-Time Viewer
• Index Search
• RegEx Search
• Index Reports
You can also filter your results using the Find field. Enter the keywords in the
Find
field to view the filtered results based on your search keywords. You can filter results based on all columns.
The Find field does not support the use of Japanese.
The All Search Filters page lists all search filters:
• You created in the Add Search Filter page
•
You created and saved from the Index Search History tab (see Saving an
Index Search as a Filter on page 74
)
• Available to you, including shareable filters created or owned by other users
Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ”r;^[^:]://.\.loglogic\.com/.*$” you should write
”r;url.domain=loglogic.com”r;. You can also use a wild card symbol for searches.
Using a wild card for regular expression searches means that it will match the preceding element zero or more times.
Adding a Search Filter
To add a search filter for complex pattern matching, use the Add Search Filter page.
User Guide
Using Search Filters |
87
To add a search filter
1. Select Search > All Search Filters from the navigation menu.
2. Click the Add New button
.
3. Type a name for your new search filter.
4. Sharing - Read Only is the default setting for a new search filter; other users of this Appliance may see and use the new search filter. Set the radio button to
No
to prevent others from seeing and using the new search filter. Set the radio button to Read Write to allow others to see and modify the new search filter.
5. Type a brief description of the new search filter.
This description helps you remember what the filter is for, and describes it to other users if you shared the filter.
6. Select a search filter option and enter the search filter criteria (see
For this example we will select the following option and a single filter criterion: a. Select the radio button Use Exact Phrase. b. Enter $username in the Use Exact Phrase text field.
7. Click the Add button
.
When adding the very first Search Filter to the Appliance, you may see the message “There is no Search Filter defined in the system” immediately after clicking Add. Refresh the
Appliance memory by clicking Regular Expression Search in the navigation menu; then click Search Filters in the menu, and your new Search Filter will appear in the list.
Search Filter Options
There are four types of search expressions you can use when adding a search filter.
Table 20 Search Filter Comparison
Filter Type
Use Words
Search Criteria
A word, or two words with
AND/OR
Use
Pre-Defined
RegEx
Filters
Yes
Where Filter Is Used
RegEx Search, Alerts, Real-Time
Viewer
User Guide
88
| Chapter 4 Searching Collected Log Messages
Table 20 Search Filter Comparison
Filter Type
Use Exact
Phrase
Regular
Expression
Boolean
Expression
Search Criteria
A phrase
Regular expression
Keyword search using Boolean expressions
Use
Pre-Defined
RegEx
Filters
Yes
Where Filter Is Used
Yes
No
RegEx Search, Alerts, Real-Time
Viewer
RegEx Search, Alerts, Real-Time
Viewer
Index Search and Index Report
Custom reports allow whichever filter types apply to the custom report’s contents. For example, a custom report saved from an Index Search allows
Boolean search filters. When creating a search filter to be used for Index
Search/index report, make sure to choose the Boolean expression as filter type.
Use Words
Type a word as your search criteria. If you type more than one word, you can use the AND/OR drop-down menu.
To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.
Use Exact Phrase
Type a phrase as your search criteria. The Appliance searches for strings including the phrase you specify.
To specify any string of characters, use wildcards (*). For example, RADI*UDP would match the RADIUS opened UDP handle string.
You can also define a parameter field using $fieldname. For example, $username
$zipcode $phone
displays text entry fields when you select the search filter in the RegEx Search tab. Field names with spaces in them display only the first word
in the RegEx Search tab. For more information, see Adding Additional
Parameters to a Pre-Defined Regular Expression Search Filter on page 91 .
User Guide
Using Search Filters |
89
Regular Expression
Type a regular expression as your search criteria; that is, a single character, a string of characters, or a string of numbers. A regular expression (RegEx) is a pattern that is matched against a subject string from left to right. Most characters stand for themselves in a pattern and match the corresponding characters in the subject.
The power of regular expressions comes from the ability to include alternatives and repetitions in the pattern. These are encoded in the pattern by use of metacharacters which, instead of standing for themselves, are interpreted in a special way.
Avoid using a regular expression when a non-regular expression alternative is available. Regular expressions are almost always less effective and more error prone than non-regular expressions. For instance, instead of using the regular expression ^[^:]*://.*\.loglogic\.com/.*$” you should write url.domain=loglogic.com.
You can use a wildcard symbol (*) for searches. Using a wildcard for RegEx searches means the * matches the preceding element zero or more times.
Once you add a regular expression, the values you enter are stored as parameters in the database. To use this regular expression with alerts, Real-Time Viewer, or
RegEx Search, select the Pre-Defined radio button.
If you are creating a search filter for an alert, the search filter must be a RegEx expression.
Boolean Expression
Type a keyword search that uses Boolean operators such as AND, OR, or NOT.
For example:
“Portmapped translation built for gaddr” and NOT 155.363.777.53
This searches indexed data only. Indexing increases performance when searching unparsed data. It is most effective when used to find a rare occurrence of a string.
In addition to entering a keyword, you can also type:
• Numbers and words which are three or more characters
• Terms under three characters, preceded by =. For example, for terms such as user=a or priority=7 the a and 7 are indexed.
The Boolean Expression field is visible only if you enable Full Text Indexing from the General Settings tab. You cannot use Advanced Options with Boolean Search.
Your Boolean expression should be no longer than 1024 characters in length.
User Guide
90
| Chapter 4 Searching Collected Log Messages
For more on using Boolean search strings, see the Search Strings topic in the
Online Help.
Putting Your Logins Search Filter to Work
Complete the following steps to start using your Logins search filter:
1. Select Regular Expression Search from the navigation menu.
2. On the RegEx Search Filter tab that appears, select the Pre-Defined radio button.
3. In the Pre-Defined text field (Select Expression), click the drop-down menu arrow, select Logins search, and click on the filter name. The filter form reloads and now displays “Logins search” in the Pre-Defined text field.
Note that because you specified the parameter $username in the Use Exact
Phrase
text field when you defined your Logins search filter, the Appliance has opened a new text box next to username in which you may further define the type of user to search for.
4. Enter “admin” in the username
text field to search for that class of user alone, or enter the wildcard * to search for logins from all users.
5. Select a Start Time to run your Logins search (immediately in this example).
6. Enter a name for your search in the Search Name text field.
7. Click the Save Custom Report menu expansion arrow and enter a Report
Name and Report Description, and select whether to Share with Others.
8. Click Save Report.
9. Click Run.
User Guide
Figure 11 Report of Logins by username admin t
Using Search Filters |
91
10. Click the number of matches to see the detailed report of the logins by username admin.
Figure 12 Detailed Report of Logins by username admin
Adding Additional Parameters to a Pre-Defined Regular Expression Search
User Guide
92
| Chapter 4 Searching Collected Log Messages
Filter
As shown above, when creating a pre-defined search filter, you can define a parameter field using the expression $fieldname. The value you enter in the parameter replaces $field. In our example, we chose $username as our expression, and typed admin into the User Name field. This caused the regular expression search to return admin users wherever $username was specified.
The maximum length for each $field is 25 characters. Regular expressions can be up to 255 characters in length.
This feature applies only to the Use Exact Phrase search filter and Regular
Expression search.
Creating a Multi-Parameter Pre-Defined Regular Expression Search Filter
In the following example we will build on our single-parameter Logins search filter by adding two additional parameters: $zipcode and $phone.
1. Create a new pre-defined search filter exactly as the example Logins search filter we created above, except this time type $username $zipcode $phone in the
Use Exact Phrase
field.
2. Name your new search filter “Multi-parameter search” and click Add.
This time the new search filter appeared immediately after clicking Add, and both search filters are displayed in the list.
3. Select Search > Regular Expression Search, and select the Pre-Defined radio button; then select the pre-defined search filter that you just created
(Multi-parameter search) from the drop-down menu.
4. The new form reloads, displaying each text field that corresponds to each new
$field (search parameter) you will define for this new search filter. The maximum length for each $field is 25 characters.
5. Click Save Custom Report at the bottom of the form, and enter a report name and description.
6. Click Save Report.
7. Type $username $zipcode $phone in the Use Exact Phrase field.
In this example we typed $username $zipcode $phone in the Use Exact Phrase field.
The Appliance generated a text field in the search form for the part after the $. We typed admin in the username field, and used the wildcard * in the zipcode and phone fields to return the maximum number of user logins.
We elected to Save Custom Report, and named it Multi-parameter search, and we selected Schedule to run immediately for the Hourly Period: Last 24 Hours. See the results of our multi-parameter search filter query in Figure 71 .
User Guide
Using Search Filters |
93
The detailed Multi-parameter Search Report is revealed by clicking the number of matches returned by the search (see the arrow at the bottom of the top figure).
You can define this parameter for the Use Exact Phrase or Regular Expression fields from the Add or Modify page for any search filter.
Figure 13 Multi-parameter Search Filter Results and Report
8. Click the Finished Searches tab to see the results of the Parameter Search.
User Guide
94
| Chapter 4 Searching Collected Log Messages
Modifying a Search Filter
In the second example above we created a new search filter and added two more search parameters: $zipcode and $phone. As an alternative, we could have modified the first search filter we created, “Logins by username admin”
. In the example below, you will see how to modify an existing search filter (assuming you no longer want to retain the original filter configuration).
To modify an existing search filter
1. Select Search > Search Filters from the navigation menu.
2. Click on the name of the filter you want to change.
3. The Modify Search Filter tab appears with the same options as Adding a
4. Modify the search filter name, description, filter options and criteria, or sharing with other users as needed.
5. Now we think that IP address would be more valuable to us than zipcode and phone, so we elect to modify our multi-parameter search filter to suit our new needs. We could also simply delete the filter and create a new one.
6. Click the Update button to modify the search filter.
7. Select Regular Expression Search from the navigation menu.
8. Click the Pre-Defined radio button on the RegEx Search Filter tab.
9. Select Multi-parameter search from the drop-down menu in the Select
Expression
field (but do not enter search parameters until you complete Step
8 below).
10. Click the Save Report button at the bottom of the form and enter a new report name and description. Click Save Report.
11. Return to the search parameter text fields and enter your new parameters
(username = admin, and ipaddress = wildcard *).
12. Click Run.
13. Click Finished Searches and then click the number of matches returned to see the results.
User Guide
Viewing All Saved Index Searches |
95
Viewing All Saved Index Searches
The All Saved Searches screen displays a list of all saved searches for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx
Search, Index Report, etc., that are stored in the system are visible on this page.
Click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report.
You can also filter the list of saved reports displayed by title by typing a key word from the report title in the Find field and pressing Enter. The keyword or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the Find field and press Enter again.
You can also create reports from this page by clicking the down-arrow in the
Create Report
button and selecting among Index Search, Regular Expression
Search, and Real Time Viewer.
•
For more information on Index Search, see Using Index Search on page 62 .
•
For more information on Regular Expression Search, see Using Regular
Expression Search on page 79 .
• For more information on Real Time Viewer, see
User Guide
96
| Chapter 4 Searching Collected Log Messages
Using and Creating All Index Reports
Use the All Index Reports screen to view a list of all saved searches for specific types of data based on search expressions and time intervals you defined. You can use these results to verify information found in your reports.
The results provide the number of hits for each selected search filter, which you can view in a table or a graphical chart. From the table, you can drill down to view the specific hits for a filter in detail similar to Index Search results.
To create an Index Report
1. From Search menu, select All Index Reports submenu.
2. Click Create Report to open the Properties window.
3. Select log sources from the right-hand pane. You can select sources by
Appliance, and filter returns by Name, IP Address, Group or Type.
a. If you picked “Name”, enter a Source Name, a specific Device Name or a
Name Mask. Wild cards are accepted in this field.
b. If you picked "Collector Domain", enter the name of the Collector Domain.
This is the name used to identify each message sent from a specific device.
c. If you picked “IP Address”, enter a Source IP Address, a specific IP
Address or an IP Address Mask. Wild cards are accepted in this field.
d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.
e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box
4. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.
5. Click OK to add the selected source and filters to the left-hand pane.
6. On the right-hand pane select a device name (or names) from the list by clicking its name.
7. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.
8. Click Columns and Filters to select the columns for your report and choose filters for your results. Click in the field under the Value column and enter a
User Guide
Using and Creating All Index Reports |
97
term for the filter (such as login, id, etc.). Then click in the field under the
Operator column and pick an operator from the drop-down.
Click Apply. The selected operator and value will move to the left-hand column.
9. Click Index Report Search Selections to select from the available expressions to be used in the report. If none are available, click New Expression... to add a new Boolean search expression for use in any Index Report.
10. In the Add Search Expression... popup that appears, enter Name,
Description, Expression, and then click Sharing to define whether others can use or modify the new filter. Click Save.
Do not use < or > in your search expression as these are not valid characters.
11. Place a checkmark next to the new search expression and click << Apply
Selections
to add them to the left-hand pane for use in filtering your report.
Then click Save As.
12. Enter a name and description of the report in the pop-up. Select Share with
others
if desired. Click Save & Close. The new report will appear in the list of all saved Index Reports.
13. Click in the Name field and enter a term to search for entries in the Saved
Reports list. Hit Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of Saved Reports. Clear the search term in the Name field and hit Enter to see all Saved Reports again.
14. Click the Run icon in the Actions column. The Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to
Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today;
Yesterday). Select the timeframe from the Date and Time Range Picker, and click Run again to execute the report.
On the results page, click Display Chart. Both Pie and Bar charts are available.
The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.
User Guide
98
| Chapter 4 Searching Collected Log Messages
User Guide
Chapter 5
Creating and Managing Alerts
Creating and Managing Alerts |
99
Alerts notify you of any unusual traffic on the network or detect anomalies on log sources or the LogLogic Appliance itself.
You can create alerts specific to your monitoring needs, and use alerts that come pre-configured with Compliance Suites or Log Source Packages. You can also update existing alerts or remove them as needed. Similarly, you can define a new custom alert template and manage the existing custom alert templates. Using the template variables, you can define the alert email subject and alert message body for custom alerts.
You can import/export the custom alert templates and formats between appliances. For more details, refer to the LogLogic Administration Guide.
For any alert, you can designate SNMP trap receivers, Syslog receivers, and Email recipients so people can receive notification of alerts via email.
Topics
•
Viewing and Handling Alerts on page 100
•
Manage Alert Templates on page 102
•
Adding a New Alert Template Format on page 102
•
Viewing and Modifying an Alert Template on page 106
•
Removing an Alert Template on page 106
•
Managing Alert Rules on page 107
•
Adding a New Alert Rule on page 108
•
Modifying or Removing An Alert on page 114
User Guide
100
| Chapter 5 Creating and Managing Alerts
Viewing and Handling Alerts
The Show Triggered Alerts page lists events triggered by rules defined for this
Appliance to monitor and report on. The Show Triggered Alerts page lets you:
• view all alerts
• filter shown alerts by alert category, priority, alert type, and keywords
• view all system alerts only, regardless of priority
• change the alert category to Acknowledged
• delete the alerts permanently
• (MA or Management Station only) view alerts on a specific managed
Appliance or on all managed Appliances
When the Data Privacy mode is enabled, these types of alerts will not be displayed on the Show Triggered Alerts page: VPN Connection Alert, VPN
Statistic Alert, VPN Message Alert, Pre-defined Search Filter Alert, Cisco
PIX/ASA Messages Alert, and Network Policy Alert.
For more information on Data Privacy mode, see Managing System Settings chapter in the LogLogic Administration Guide.
When an alert is triggered, Alert Viewer shows the alert category as New.
To filter and view alerts
1. Choose Alerts > Show Triggered Alerts from the home page.
2. Select the type of alerts to display from the Show drop-down menu.
— All States shows all alerts in all categories.
— New or Acknowledged Alerts shows only alerts in the selected category.
3. Select the alert priority to view from the second drop-down menu. The options are: All Priorities, High, Medium, Low, and All System Alerts. To view all system alerts regardless of priority, select All System Alerts.
4. Select the type of alert from the third drop-down menu. To view all types of alerts, select All Types.
5. (MA or Management Station only) Select the Appliance from which to view triggered alerts. To aggregate alerts from all managed Appliances into a single list, select All.
6. To filter using the keywords, enter the keywords in the Find field and press
Enter
. To search based on Priority and Type, select the respective drop-down
User Guide
Viewing and Handling Alerts |
101
menus. For the remaining columns, enter the keyword in the Find field to filter the list.
The filtered results will be displayed.
The Show Triggered Alerts page displays the specified alerts with the following details:
Table 21 Alert Details
Element
Time
Description
Time the alert triggered.
Source IP
Priority
Type
Alert Destination
Source IP address contained in the syslog message. If an alert is for multiple devices, Device Group is shown as the Source IP.
The priority of the alert. An alert's priority is specified in the
General
tab.
The Log Appliance alert type. For a list of alert types, see
and see Table 26 on page 109 .
Email addresses, trap receivers, or syslog receiver where notifications were sent when the alert triggered.
To page through and move alerts
To page through multiple results to your query:
• Use the navigation buttons last page, respectively
to go to the first, previous, next, or
• Type the page number and click to view the results on a specific page
To acknowledge or remove alerts:
• To move alerts to the Acknowledged category, select their checkboxes and click .
• To delete selected alerts, select their checkboxes and click
• To delete all alerts permanently, regardless of priority, click
.
.
Move an alert to the Acknowledged category once you have been notified of the alert. Remove an alert once the cause of the alert is corrected.
User Guide
102
| Chapter 5 Creating and Managing Alerts
Manage Alert Templates
The Manage Alert Templates menu allows you to define a new alert template format and manage the custom alert templates. Using the template variables, you can edit the alert message.
The Manage Alert Templates page displays the following details:
Table 22 Manage Alert Templates Details
Element
Filter By Names
Description
Filter using the template names. Enter the keywords and press
Enter
to view the filtered list.
Name
Type
Template Type
Max Message
Length
Used By Alert(s)
Name of the alert template.
Type of the alert.
Type of template.
Indicates the maximum character length (including the alert email subject and the alert message) that will be displayed.
Click the List link to view a list of alerts used by this template.
Adding a New Alert Template Format
You can define a new alert template format using the Add New Alert Format option.
To add an alert
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. The Manage Alert Templates page appears.
3. Click the Add New button. The Add New Alert Format window appears.
4. Define a template name in the Name field. This must a unique name for each template.
5. From the Alert Type drop-down menu, select the type of alert.
For an ST Appliance, only four alert types are available: Adaptive Baseline Alert,
Message Volume Alert, Search Filter Alert, and System Alert.
User Guide
Manage Alert Templates |
103
6. Select the Template Type from the drop-down menu. The options are: Email,
Alert History, SNMP Trap, and Syslog. Once you select the template type, the default body for the selected type appears in the Body field.
7. Select a variable from the Variables list.
8. Once you select a variable, the actual string for the selected variable appears in the Variable Text field.
The valid variable string definitions are:
Table 23 Alert Template Variable Definitions
Variable Text
$ALERT_DESCRIPTION
Description
User-defined alert description.
$ALERT_ID
A number specific to the alert type. For example, 050300 for Message Volume Alert.
$ALERT_LOG_SOURCES
A list of log sources assigned to the alert.
$ALERT_NAME
User-defined alert name.
$ALERT_TIME
The time when alert was triggered.
$ALERT_TYPE
Type of Alerts. For example, Message Volume Alert.
$ALERT_URL
The URL that opens a page with alertable event details.
Do not add any special characters after the $ALERT_URL.
$CUSTOM_EMAIL_SUBJE
CT
A portion of email subject that is pre-constructed based on the alert type. This field contains alert type-specific details.
You cannot change this field.
$CUSTOM_STRING
A portion of email body that is pre-constructed based on the alert type. This field contains alert type-specific details.
You cannot change this field.
$CUSTOM_SYSLOG_STRI
NG
A portion of alert syslog message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
$FILTER
Text of a search-filter that matched as part of Search-filter alert.
$FILTER_NAME
A search-filter name. This filter is assigned to a
Search-filter alert.
User Guide
104
| Chapter 5 Creating and Managing Alerts
Table 23 Alert Template Variable Definitions
Variable Text
$HIGH_THRESHOLD
Description
The high threshold value that was exceeded during alert monitoring.
$LOG
The log message that triggered the alert.
$LOG_SOURCES
The log sources that triggered the alert.
$LOG_SOURCE_IPS
IP addresses of log sources that triggered the alert.
$LOW_THRESHOLD
The low threshold value that was crossed during alert monitoring.
$NUM_EVENTS
Number of alertable events that happened during the reset time. The reset time temporarily suppresses alerts.
$PRIORITY
The alert priority.
$RECIPIENT
$RESET_TIME
Email, syslog, and SNMP where alert was sent to.
Alert reset time. Reset time temporarily suppresses alerts.
$SNMP_STRING
A portion of alert SNMP message that is pre-constructed based on the alert type. This field contains alert type-specific details. You cannot change this field.
$SRC_APPLIANCE
The Appliance that triggered alert.
$TIME_SPAN
$TYPE_SYSLOG
The time span value used in alert definition.
Alert type encoding as used in syslog alert message, i.e.
“MESSAGE_VOLUME_ALERT”, etc.
User Guide
Manage Alert Templates |
105
1. The
$$
variable will be translated as
$
. For example,
$$ALERT_DESCRIPTION
will be displayed on alert history as
$ALERT_DESCRIPTION
.
2. If you define a number before the variable string, then only the specified number of characters will be displayed in the alert message when the variable length is longer. For example, if you specify the variable string as
$10ALERT_DESCRIPTION
, then only first 10 characters will be displayed for alert description. The remaining characters will be truncated.
3. Since some variables, i.e.
$LOW_THRESHOLD and
$HIGH_THRESHOLD
, are not supported for a certain alert type, they may be displayed as empty or 0.
4. When some alerts cannot distinguish log sources that have some messages or do not have any messages, i.e. Message Volume Alert and VPN Statistics Alert, they may list all assigned log sources in the
$LOG_SOURCES
variable.
9. The Maximum Message Length field displays the default maximum character length of the alert email subject and alert message that will be displayed. You can update this value anytime. If the length of the alert email subject and alert message is longer than the specified value, then the email subject will be truncated.
When the selected Template Type is Email, the default maximum character length is 65503.
10. When you select the Template Type as Email, the Subject field appears with default subject. Add or change the subject description that will appear in the email. You must enter either email Subject or email Body. You cannot keep both these fields blank.
You cannot have < subject>, </subject>, <body>
, and
</body> tags in the Subject or
Body
field.
11. Add or change the default body of the selected template type in the Body field. You can select multiple variables. When adding, make sure you copy and paste the exact variable string (from Variable Text field) in the Body field.
12. Click the Add button to save the new template format. The newly added template will be displayed on the Manage Alert Templates page.
Viewing and Modifying an Alert Template
You can only view the default (system defined) alert templates. You cannot edit or delete the default alert templates. However, you can update or delete the custom
(user defined) templates.
User Guide
106
| Chapter 5 Creating and Managing Alerts
To view the default alert template format
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. Click on the default alert template name to view the format details. The following illustration displays the Network Policy Email template format.
To modify a custom alert template format
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. The Manage Alert Templates page appears.
3. Click on the template name to update the format details. You can only update the custom alert templates.
4. Make the necessary changes. Click the Update button to save the changes.
5. If you wish to save the template format with a different name for a later use, update the template Name and click Save As.
Removing an Alert Template
You cannot delete the default alert templates. However, you can delete the custom alert templates.
To remove an alert template
1. Choose Alerts > Manage Alert Templates from the navigation menu.
2. Select the checkbox next to the template name and click the Remove selected
template(s)
button (that is located above the list on the top banner). You can only delete the custom templates.
3. Click Yes on the confirmation window to delete the selected alert template.
The confirmation window lists all associated alert rules for the selected template.
When you delete the selected template, all associated alert rules that are using this template will use the default templates.
The selected template will be removed from the Manage Alert Template list.
User Guide
Managing Alert Rules |
107
Managing Alert Rules
Manage Alert Rules
lets you define rules to detect unusual traffic on your network or detect Appliance system anomalies. You can add, modify, or remove alerts. You can configure alerts to generate SNMP events, syslog receiver and/or send an email notification when the alert rule is triggered. Each Appliance includes a default set of alerts. You can modify these alerts and add to them as needed. You do not need to set up an SNMP or syslog server for the default alerts.
If you have the Manage Alerts privileges, you can modify or delete alerts created by other users.
The Manage Alert Rules page displays the following details:
Table 24 Manage Alert Rules Details
Element
Find
Description
F ilter using the keywords. Enter the keywords in the Find field and press Enter.
Name
Type
Priority
Enabled
Name of the alert.
Type of the alert.
The defined priority of the alert.
Indicates whether the alert is active:
—You must assign a User and Alert Receiver for this alert.
Description
—You must assign a Device for this alert.
Description of the alert.
Preconfigured System Alerts
System Alerts notify you when system health and status criteria exceed the acceptable bounds. All LogLogic Appliances include several system alerts that are preconfigured and enabled. By default, these alerts have:
• Email notifications are sent to the Appliance admin user
• Priority set to high
• Default reset time of 300 seconds except (TCP Forward Falling Behind alert has a default reset time of 3600 seconds)
User Guide
108
| Chapter 5 Creating and Managing Alerts
All these alert settings can be customized as needed.
Table 25 Preconfigured System Alerts
Alert
System Alert - CPU
Temperature
Description
The temperature of the Appliance CPU has exceeded the specified High Threshold
System Alert - Disk
Usage
System Alert - Dropped
Message
The usage of the specified drive on the
Appliance has exceeded the specified High
Threshold
The number of messages dropped by the
Appliance has exceeded the specified High
Threshold
System Alert - Fail Over
*
A failover has occurred on the Appliance
System Alert -
Migration Complete *
A data migration involving the Appliance is successfully complete
Default
70 degrees celsius
80%
10 msg/sec n.a.
n.a.
System Alert - Network
Connection Speed
System Alert - Network
Interface
System Alert - RAID
Disk Failure
The speed of the network connection for the
Appliance has dropped below the specified
Low Threshold
A problem occurred with the Appliance network interface
A failure occurred on an Appliance RAID disk
10-Half n.a.
n.a.
System Alert -
Synchronization Failure
*
A failure occurred during log data synchronization on the Appliance n.a.
* Indicates System Alert not available on MA product family Appliances.
Adding a New Alert Rule
Adding an alert to the Appliance involves selecting the type of alert, enabling the alert, specifying the log sources to monitor, and specifying alert recipients (SNMP traps, syslog receivers, and email user IDs).
User Guide
Managing Alert Rules |
109
Modifying an alert lets you change the same options available here for adding an alert.
When setting up an alert, do not pick search expressions with variables in them.
Doing so treats variables as having a literal meaning.
To add an alert rule
1. Choose Alerts > Manage Alert Rules from the navigation menu.
2. Click the Add New button.
3. In the Type tab, select an alert type.
Once you select an alert type, the General tab for that alert type automatically appears. The Devices, Alert Receivers, Email Recipients, and Templates tabs are enabled.
Table 26 Alert Types
Alert Type
Adaptive Baseline
Alert
Triggered when...
The messages/second rate rises above, or falls below, the nominal rate for the traffic.
Note:
A baseline is established after 1 week from the alert activation time. After the baseline is established, the baseline is adjusted every 15 minutes. The new value is averaged in with past baseline.
Cisco PIX/ASA
Messages Alert
Message Volume
Alert
The messages/second rate for a specific PIX/ASA message code is above or below specified rates.
The messages/second rate is above or below specified rates. If the user sets the “Zero Message Alert” checkbox, an alert is triggered only if zero messages are received within the timespan set.
Network Policy Alert
*
A network policy message is received with an Accept or Deny
Policy Action.
The Appliance automatically pulls Check Point firewall rule bases via the Check Point Management Interface (CPMI), but you still must manually enter rules for a Network Policy Alert in the Rules tab.
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.
** System Alerts do not have a Devices tab.
User Guide
110
| Chapter 5 Creating and Managing Alerts
Table 26 Alert Types (Cont’d)
Alert Type
Parsed Data Alert
Pre-defined Search
Filter Alert
Ratio Based Alert
System Alert **
Triggered when...
Parsed data meets certain conditions specified for the alert.
Parsed Data alerts are different from other alert types; they are based on Pre-defined Search Filter alerts. See
.
A text search filter matches message fields. This uses one of the Appliance's saved RegEx Search Filters.
The specified message count is above or below a specified percentage of total messages. For example, “Login Success message count is fewer than 10% of total messages.”
The Appliance checks for any conditions that would trigger a
Ratio Based Alert every 60 seconds.
An Appliance system criteria is exceeded. For example, “Disk usage exceeds 80%”.
By default, System Alerts are prioritized as high. You can change their settings to medium or low if needed.
VPN Connections
Alert
VPN Messages Alert
A VPN connection is denied access and/or disconnected.
The VPN Connections Alert is only applicable to Check Point
VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
Combinations of specific VPN message area, severity, and code. This alert is applicable to Cisco VPN devices.
VPN Statistics Alert Recorded statistics on VPN or Radius messages match relative or absolute criteria. This alert is applicable to Check Point
VPN, Cisco VPN, Nortel VPN, and RADIUS Accounting device types.
* The Rules tab appears for Network Policy Alerts, and is accessible only after the new alert is initially saved.
** System Alerts do not have a Devices tab.
System Alert is the only type of alert that can be created on an MA Appliance. For the ST Appliance, an Adaptive Baseline Alert, a Message Volume Alert, and a
Pre-defined Search Filter Alert can be created, along with a new System Alert. An
LX Appliance can create all types of Alerts.
User Guide
Managing Alert Rules |
111
The Pre-defined Search Filter is disabled if there are no search filters defined on the Appliance. To create a Pre-defined Search Filter, use Search Filters to add the filter. A search filter for an alert can contain words, phrase or a RegEx expression.
4. Set up the alert in the General tab.
Options on the General tab vary depending on the alert type. For a complete list of options for a specific alert type, see the Online Help for that alert type.
These steps include typical options: a. Enter a Name for the alert.
b. Set the alert Priority. (High is the default.) c. Select to Enable the alert. This enables the alert once you click the Add button
.
d. (Optional) Enter a specific SNMP OID to further define the alert.
For example, this is helpful to define so your administrator/receiver knows that all alerts triggered with this SNMP OID originates from a specific device and alert.
e. Enter a Description for the alert.
Enter a name and description unique enough to easily identify the alert in a large list.
f.
Select the Enable Schedule checkbox to specify the time period for scheduling the alerts. Select the appropriate Time and Day box to specify the schedule. The selected box turns blue. To remove any particular time slot, click on the blue box.
5. Specify log sources for the alert in the Devices tab.
All the log sources on the Appliance are listed in Available Devices. When you move a device to the Selected Devices section, the alerts you configure are activated for those devices. You can define different alerts for different devices.
For available devices where the Collector Domain was specified in a UC the following format; <collector domainid>_<device IP>_<devicetype> will be displayed. For example a windows machine with an IP address of 10.10.10.10 and collector domain will be displayed as 1_10.10.10.10._windows.
Select the Track all devices individually checkbox to generate independent alert messages for each selected device. The reset time tracks for the group as a
User Guide
112
| Chapter 5 Creating and Managing Alerts whole and you can change alert properties using one alert for the device group.
When configuring any alerts (except for System Alerts) on logs transferred using
LogLogic TCP, the alert reporting can be slightly less than real-time. Because
LogLogic TCP sends data in chunks that the Appliance incrementally merges, an alert can appear anywhere between real-time and up to 5 minutes later. As a result, for example, Message Volume rates can be determined when averaging over a 5 minute or greater increment, but do not provide meaningful averages for smaller timespans. For Cisco PIX/ASA Messages alerts, the Timespan setting should be at least 60 seconds.
6. Specify SNMP trap receivers and syslog receivers for the alert in the Alert
Receivers
tab.
You can define alerts for both SNMP traps, syslog receivers and users or for
SNMP traps only. The Alert Receivers tab lists all the available traps and syslog for the Appliance. You must configure SNMP traps, syslog receivers, and/or add specific traps.For more information about Alert Receivers, see the
LogLogic Administration Guide.
7. Specify people to receive alerts via email in the Email Recipients tab.
Email messages that include an alert are limited to 1024 bytes. Any additional alert text is truncated in the email message.
You can define alerts for both users and SNMP traps or for users only.
Available Users
lists all the users available for the Appliance.
For more information about adding users, see the LogLogic Administration
Guide.
8. Select templates for each alert type from the drop-down menu. The Templates tab displays all available templates for each alert type: History, SNMP, Syslog, and Email.
Once you select the template, the format is displayed below.
By default, the Default option for the Alert Email Template is selected to send the default email message. In this case, from the Message Size drop-down, select Long or Short message forms. Place a check in the Enable View Alert
Detail from Email
checkbox to provide additional alert detail in email.
To define or modify template formats, see Manage Alert Templates on page 102 .
9. The Rules tab is enabled only for Network Policy Alerts. The Rules tab allows for defining the Accept (or Deny) Source and Destination IP Address Ranges,
User Guide
Managing Alert Rules |
113
Port Ranges, and Protocols. When adding a Network Policy alert, you must save the alert and then modify it to access the Rules tab.
Use the Rules tab to define parameters for the alert. For example, define firewall policy rules you want to monitor for this alert. A single alert can have a single rule or multiple rules. You must add an alert before defining rules.
You can define up to 1000 rules for each alert. If you leave the fields blank and add the rule, you are still defining an alert. The Appliance accepts all values if you leave the fields blank.
10. Click the Add button to add the new alert to the Appliance.
The Devices, Alert Receivers, and Email Recipients tabs list disabled log sources, receivers, or recipients marked as (disabled). Disabled entries are ignored during processing, but are listed in these tabs so they’re automatically present when enabled again (via the Management > Devices, Administration > Alert
Receivers
, or Management > Users tabs, respectively).
Parsed Data Alerts
Parsed Data alerts are created differently from other alert types. There is no
Parsed Data alert type to select in the interface; its creation is based on a
Pre-defined Search Filter alert. The Filter specifies matching values that are extracted by the parser from the log messages.
To use Parsed Data alert, you need to know the name of the database table where parsed logs will be stored along with the column names. You can find the exact column names using the Management > Column Manager page to create the search filter for this alert type. For more information, see Managing Column
Manager chapter in the LogLogic Administration Guide. When specifying the
matching values, data type should be considered for the relevant table columns.
For example, IP address must be a numeric type, i.e. 32-bit integer and not the string representation such as 169.1.1.1.
1. Create a Pre-defined Search Filter: a. Name the filter.
b. For filter type, select Use Exact Phrase.
c. For the DB table, specify
_table=
. (Only one _ table=
entry is allowed.) d. Specify columns and values to match as name/value pairs separated by columns. For example:
_table=Authentication,actionID=2,statusID=4
User Guide
114
| Chapter 5 Creating and Managing Alerts
2. Create a Pre-defined Search Filter alert: a. Name the Search Filter alert with a prefix
_parsed
. For example,
_parsed_Login Failure
.
b. Select the Pre-defined Search Filter you created for this alert.
Usage notes:
— Parsed data alerts apply only to messages from configured log sources.
— Parsed data alerts apply only to the tables configured in the alert.
— Parsed data alerts are not supported on ST Appliances.
— Do not configure the same alert for both real-time and pulled data files.
Create separate alerts for each, with the same search expression.
Modifying or Removing An Alert
You can modify alert settings or remove alerts from the Manage Alert Rules page.
The same tabs appear when you add an alert (see Adding a New Alert Rule on page 108
.
To edit, or remove an existing alert rule
1. Click the alert name in the Name column.
2. View the settings for the Alert Rule on the General tab, the Alert Receivers tab, the Email Recipients tab, and the Templates tab. Change the settings and click Update or Cancel to retain.
3. To remove an existing alert, click the alert’s checkbox and then click the
Remove button
.
The Remove Alerts tab appears, where you can confirm or cancel the removal.
User Guide
Chapter 6
Generating Real-Time Reports |
115
Generating Real-Time Reports
Real-Time Reports let you search and generate reports for monitoring various real-time activities derived from the log data that is collected from your log sources. Each Real-Time Report category contains multiple specific reports.
Depending on LSP packages, and your selected log sources, you may see different types of reports, columns, and optional filters for each report.
Topics
•
Preparing a Real-Time Report on page 116
•
Access Control Reports on page 125
•
Database Activity Reports on page 134
•
IBM i5/OS Activity Reports on page 140
•
Threat Management Reports on page 154
•
Mail Activity Reports on page 164
•
Network Activity Reports on page 172
•
Operational Reports on page 191
•
•
Enterprise Content Management on page 203
•
•
•
Storage Systems Activity on page 222
•
•
User Guide
116
| Chapter 6 Generating Real-Time Reports
Preparing a Real-Time Report
The Real-Time Reports are a central component to LogLogic’s Agile Reporting, which lets you quickly view detailed information about your collected log data, catered to your specific needs.
Real-Time Reports can take longer than Saved Reports because they run against all up-to-the-minute raw log data, not against stored summarized log data.
Real-Time Reports capture all hits in collected raw log data that meet the report's criteria.
When two devices have the same IP address but only one has a Collector Domain
ID users might see duplicate data (data combined from both domains).
To generate a Real-Time Report, refer to the procedure and illustrations shown in
Generating a Report—An Example on page 120
.
Select a Source or Sources and Search Filters
1. In the navigation menu under Reports, select the category and type of report to generate.
2. Click Create Report to open the Properties window.
User Guide
Preparing a Real-Time Report |
117
3. Under Add Log Sources, click the down arrow next to Select and pick a filter
(Name, Collector Domain IP Address, Group or Type) to filter returns.
a. If you picked “Name”, enter a Source Name, a specific Device Name or a
Name Mask. Wild cards are accepted in this field.
b. If you picked "Collector Domain", enter the name of the Collector Domain.
This is the name used to identify each message sent from a specific device.
c. If you picked “IP Address”, enter a Source IP Address, a specific IP
Address or an IP Address Mask. Wild cards are accepted in this field.
d. If you picked “Group”, enter a Group Name, or click the down arrow to the right of the text field and select “All” or one of the other Group names displayed in the drop-down box.
e. If you picked “Type”, enter a Source Type (a specific device type), or click the down arrow to the right of the text field and select “All” or one of the other Device Types displayed in the drop-down box.
When adding a large number of devices, create a dynamic rule which contains all listed devices. To create a rule, first filter by Name or Type to retrieve the list of devices. Then, click the << Add filters as a rule button that will create a dynamic rule which contains all listed devices on the right pane.
4. If desired, add a second filter by clicking the + sign and repeating Step 3 as often as you like.
5. To delete a filter, click the - sign to remove the last selection made (repeat if needed). Do not click Cancel unless you want to cancel your report.
6. Click <<Add as a rule, and enter a name in the text field of the dynamic rule pop-up.
7. Click OK to add the selected source and filters to the left-hand pane.
8. Select a device name (or names) by clicking its name.
9. Click <<Add selected log sources to add devices from the selected source to which you want to apply the filters when running the report.
10. Click Run to initiate a report of the selected source and devices with the filters you chose in Step 3.
Select Time Frame and Run a Report
1. When you click Run in Step 10, the Date and Time Range Picker pops up, with Last Hour as the default setting. Click the down arrow next to Last Hour to reveal several other options (Last 2, 3, 6 12 18 or 24 Hours; Today;
Yesterday).
User Guide
118
| Chapter 6 Generating Real-Time Reports
2. To select a different date range, click the small calendar icon to the right of the current Date and Hour display and chose any month and day for the start of the report period. Move to the right and click the second small calendar icon to chose any month and day for the end of the report period.
3. Click Run again to execute the report.
Resize & Move Columns, Create Charts, Print and Download a Report
1. On the results page, you may resize and move the columns to the positions you prefer by clicking on them and dragging.
2. To see detailed information for a particular Source device, click the number of returns for the device in the Count column.
3. Click <back to summarized results and then click Display Chart. Both Pie and Bar charts are available. The chart segments can be highlighted by mousing over them. Right-clicking on the chart or segments opens a print menu.
T he charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.
4. Reports may be downloaded in CSV, PDF, or HTML format by clicking on the icons below the Display Chart button.
Modify Report Settings and Time Frame
1. Clicking the Edit Settings button opens up a Properties window again, this time allowing you to Add Columns and Filters if desired.
2. Enter your selections for Add Columns and Filters (if any) and click Save As.
3. Enter a name and description for the report in the pop-up window. Select
Share with others
if desired. Click Save & Close.
4. Click Run Again to execute your report with the new filtering criteria. The new report will appear in the list of all Saved Reports (from Reports > All
Saved Reports
).
5. Click the date range (blue type at top left) to modify the timeframe for your report. The Date and Time Range Picker appears, with Last Hour as the
default setting. Follow the steps listed in Select Time Frame and Run a Report on page 117
.
User Guide
Preparing a Real-Time Report |
119
6. From the list of Saved Reports (access Reports > All Saved Reports), you may click Run or Edit to modify the report settings of any Saved Report.
7. To search for a particular report or report series in the Saved Reports list, click in the Find field and enter a search term.
8. Press Enter. Any term found in the list of report titles will be highlighted; all other reports not containing the search term will no longer show in the list of
Saved Reports. Clear the search term in the Find field and press Enter to see all Saved Reports again.
9. You may add a schedule for a Saved Report by clicking the report Name and then clicking Schedule selected.
The Scheduling window opens. You can define a Timeframe, Email
Recipients (pre-defined system users), and Formatting options. Click the
Manage Recipients
button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management > Users page).
10. You may delete a Saved Report from the list by clicking the report Name and then clicking Remove selected. You will see a pop-up message asking you to
Confirm Deletion
.
Saving a Generated Report
There are several options for saving a generated report, available from the icons at the top of the report results:
• Save as CSV—Downloads and saves the report data in a comma-separated
.csv file, viewable in spreadsheet applications such as Microsoft Excel.
• Save as PDF—Downloads and saves the report data in a PDF file, viewable in
Acrobat format such as Adobe Acrobat Reader.
• View as HTML—Open the report data formatted in a new browser window or tab, from which you can also download the HTML file for archival.
User Guide
120
| Chapter 6 Generating Real-Time Reports
Rerunning a Saved Report
To rerun a saved report, go to Reports > All Saved Reports and select a previously saved report. You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards.
Wildcard searches are supported for IP addresses and detailed messages.
Generating a Report—An Example
This example shows how to generate a Network Activity report that displays denied connection activity related to the IP addresses you select. The steps below apply to the generation of all reports on the Appliance except the Check Point
Policies report, which lists current Check Point Firewall policy rules on log sources connected to your Appliance.
The other exception is All Saved Reports, which lists previous search results, saved as reports, and selected to be shared with others at the time of generation.
To generate a Denied Connections Report
1. Select Reports > Network Activity > Denied Connections from the home page menu.
2. Click the Create Report button.
3. Select the log source connected to the Appliance.
4. Select log sources from the list by clicking its name (or names). Click Add
selected log sources
to move them to the Log Sources list.
5. Click Run to run the report.
6. Specify the time interval to search for data passing through the Appliance and click Run.
7. On the Denied Connections results page, adjust the order and position of columns.
User Guide
Preparing a Real-Time Report |
121
8. Select Display Chart to graph the Denied Connections results. Pie chart and bar chart options are available. Mousing over the chart segments highlights the results.
The charts are populated based on column that is used as a data source. For example, Denied Connections: On Demand (Chart for: Attempts); where Attempts is the column name that is used as a data source for the chart. If you need to display a chart based on different column, you must sort the report by the column, and the column must have numeric values.
Figure 14 Denied Connections Report – Pie Chart Display
9. Right-click a chart segment to print the data in the segment.
10. At the top menu, select the CSV, PDF, or HTML icon to export the entire report to a file.
11. To choose another time to run the Denied Connections report, click the date range in the upper left section of the report.
12. Select the date and time and click Run.
13. Click the Edit Settings button to revise columns and filters in the report and
Run
the report again.
User Guide
122
| Chapter 6 Generating Real-Time Reports
To re-run and edit settings of a previously saved report (Denied
Connections):
1. Select Reports > Network Activity > Denied Connections from the Home page.
2. To run the saved report, click the Run icon and then click the Run button on the Date and Time Range Picker that pops up.
3. After the Denied Connections report opens, click the Edit Settings button.
4. Click Properties to open the Properties Dialog pane.
5. Enter your data and click OK.
6. To add a schedule for the Denied Connections report, click the Scheduling link.
The Add a Schedule pane opens on the right side. You can define a
Timeframe, Email Recipients (pre-defined system users), and Formatting options. Click the Manage Recipients button to update the Appliance address book. Using this option, you can add new or modify recipient addresses that are non-defined system users (that are not defined under Management >
Users page).
7. Click the Add Schedule button at the bottom of the Timeframe pane to confirm the schedule for the Denied Connections report.
8. Click Save and Close on the Properties window to save your entries.
9. View the saved schedule for the Denied Connections report.
10. To make further changes to the Denied Connections report, repeat Steps 1 —
9.
Available Operators
Each report has multiple filter operators available that are listed in Table 27 on page 123
.
Some report columns display as empty when the actual value is either null or an empty string.
• If the value is null, you can filter using --null--.
• If the value is an empty string, you can filter using two single quotes ".
User Guide
Preparing a Real-Time Report |
123
Table 27 Optional Filter Operators
Operator
=
Description
Specifies an acceptable substitution for a word in a query.
!= Specifies to not substitute a word in a query. in not in like not like contain
Displays data in the results that contains the specified word in a list.
Excludes data in the results that contains the specified word in a list
Displays data that has a partial match to the value you type.
For example, you can use this operator to type a partial IP address such as 10.2.3.*. This type of search returns all IP addresses which contain these numbers.
Excludes data that contains a partial match to the value you type.
Displays data that matches the alphanumeric string you type.
For example, you can use this operator to type a string such as
'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not contain start with
Excludes data that matches the alphanumeric string you type.
Displays data that begins with the alphanumeric value you type.
For example, you can use this operator to type a string such as
'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not start with Excludes data that begins with the alphanumeric value you type.
end with Displays data that ends with the alphanumeric value you type.
For example, you can use this operator to type a string such as
'Accessed URL' for any detailed message. This type of search returns all detailed messages which contains, starts with, or ends with the 'Accessed URL' value.
not end with Excludes data that ends with the alphanumeric value you type.
regexp Displays data in the results only that contains the regular expression you define.
User Guide
124
| Chapter 6 Generating Real-Time Reports
Table 27 Optional Filter Operators (Cont’d)
Operator
not regexp
Description
Displays data in the results only that does not contain the regular expression you define.
> Displays only data in the results that is above a threshold number.
< between
Displays only data in the results that is below a threshold number.
Displays data that is between (inclusive) the numeric values you type.
User Guide
Access Control Reports |
125
Access Control Reports
To search for and generate reports on the number of times a selected log source executes an authentication rule, use Access Control reports.
The submenu that appears when you click home: Reports > Access Control lists which reports are available for each log source.
To access Access Control reports
Choose home: Reports > Access Control > report-name from the navigation submenu, where report-name is any one of the following Access Control reports.
Table 28 Access Control Reports
Report
Permission
Modification
Definition
Use the Permission Modification screen to search for and create a report on changes made to user permissions on selected log sources during a specified time interval.
User Access Use the User Access screen to search for and generate a report on user activities in accessing resource (for example, service, file, directory, application) on selected log sources during a specified time interval.
Page
User
Authentication
Use the User Authentication screen to search for and generate a report on who has authenticated on selected log sources during a specified time interval.
User
Created/Deleted
Use the User Created/Deleted screen to search for and generate a report on what users have created or deleted during a specified time interval.
User Last Activity Use the User Last Activity screen to search for and generate a report on activity of users during a specified time interval.
Windows Events Use the Windows Events screen to search for and generate a report on data about all log events from the Microsoft Windows operating systems. For example, the captured log events include, application, security, and system events.
User Guide
126
| Chapter 6 Generating Real-Time Reports
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Access Control report, and are explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Permission Modification Reports
To search for and generate a report on activities related to modification of user permissions (for example, adding or deleting permissions) on selected log sources during a specified time interval, use the Permission Modification Real-Time
Report.
Menu path: home: Reports > Access Control > Permission Modification
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional columns and filters can be sorted in ascending or descending order.
Choose sort order using the drop-down menu. The optional filters are:
Table 29 Permission Modification Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
User User who is making the inquiry
Action
Status
Source IP
Source Domain
Target User
Target IP
Target Domain
Type
Originating
Host
Action taken
Status of the connection
IP address of the source host device
Domain of the source host device
User for whom inquiry is being made
IP address of the accessed Appliance
Domain of the accessed Appliance
Type of connection
The original host name where the event was originally created
User Guide
Access Control Reports |
127
Table 29 Permission Modification Report Optional Filter Operators (Cont’d)
Option
Subsystem
Description
The subsystem of the host
Originating IP
Event Name
Application
Type
Count
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Number of connections
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Access Reports
To search for and generate a report on user activities in accessing resources (for example, service, file, directory, application) on selected log sources during a specified time interval, use the User Access Real-Time Report.
Menu path: home: Reports > Access Control > User Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The options are:
Table 30 User Access Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
User
Source IP
Source Domain
Target User
Target IP
User who is making the inquiry
IP address of the source host device
Domain of the source host device
User for whom inquiry is being made
IP address of the accessed Appliance
User Guide
128
| Chapter 6 Generating Real-Time Reports
Table 30 User Access Report Optional Filter Operators (Cont’d)
Option
Target Domain
Description
Domain of the accessed Appliance
Group
Action
Status
Type
Originating Host
Subsystem
Originating IP
Event Name
Application Type
Count
The name of the Policy group
Action taken
Status of the connection
Type of connection
The original host name where the event was originally created
The subsystem of the host
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Number of connections
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Authentication Reports
To search for and generate a report on who has authenticated on selected log sources during a specified time interval, use the User Authentication Real-Time
Report.
Menu path: home: Reports > Access Control > User Authentication
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Access Control Reports |
129
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source
Device, User, Source IP, Status, and Count.
Table 31 User Authentication Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
User
Source IP
Source Domain
Target User
Group
Originating Host
Subsystem
Originating IP
Event Name
Application Type
Status
Type
Disconnect Reason
Count
User who is making the inquiry
IP address of the source host device
Domain of the source host device
User for whom the inquiry is made
The name of the Policy group
The original host name where the event was originally created
The subsystem of the host
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Status of the connection
Type of connection
Reason the connection was terminated
Number of connections
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Created/Deleted Reports
To search for and generate a report on what users have been created or deleted on selected log sources during a specified time interval, use the Users
Created/Deleted Real-Time Report.
Menu path: home: Reports > Access Control > User Created/Deleted
User Guide
130
| Chapter 6 Generating Real-Time Reports
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source
Device, User, Source IP, Target User, Target IP, and Count.:
Table 32 User Created/Deleted Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
User
Source IP
Target User
Target IP
Originating Host
Subsystem
Originating IP
Event Name
Application Type
Action
Action Details
Status
Count
User who is making the inquiry
IP address of the source host device
User for whom the inquiry is being made
IP address of the accessed Appliance
The original host name where the event was originally created
The subsystem of the host
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Action taken
Details of the action
Status of use
Number of connections
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Last Activity Reports
To search for and generate a report on the most recent activity of all users on selected log sources during a specified time interval, use the User Last Activity report.
User Guide
Access Control Reports |
131
Menu path: home: Reports > Access Control > User Last Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
Table 33 User Last Activity Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Time
Connection ID
User
Source IP
Target User
Target IP
Action
Action Details
Status
Originating Host
Subsystem
Originating IP
Event Name
Application Type
Access Details
Time of connection
ID number for the connection
User who is making the inquiry
IP address of the source host device
User for whom the inquiry is being made
IP address of the accessed Appliance
Action taken
Details of the action
Status of the activity
The original host name where the event was originally created
The subsystem of the host
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Details of access
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
132
| Chapter 6 Generating Real-Time Reports
Windows Events Reports
To search for and generate a report on data on all Windows Event IDs, the number of events for each ID, and a description of each ID for selected log sources running the Microsoft Windows operating systems, use the Windows Events Real-Time
Report. For example, the captured log events include application, security, and system events.
Menu path: home: Reports > Access Control > Windows Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source
Device, Event ID, and Count.
Table 34 Windows Events Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Event ID Numeric ID corresponding to the source device
User
Source Domain
Target User
Target Domain
Originating Host
Subsystem
Originating IP
Event Name
Application Type
Action
Status
Type
Count
User ID on the source device
Domain name of the source device
User ID of the destination device
Domain name of the destination device
The original host name where the event was originally created
The subsystem of the host
The original source IP address where the event was originally created
Name of the event
The type of application that generated the event
Action taken
Status of use
Content type of the object as seen in the HTTP reply header
Number of Windows events for the source device
User Guide
Access Control Reports |
133
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
134
| Chapter 6 Generating Real-Time Reports
Database Activity Reports
To search for and generate reports on various events occurring on database server log sources, use the Database Activity reports.
To access Database Activity reports
Choose home: Reports > Database Activity > report-name from the navigation menu, where report-name is any one of the following reports:
Table 35 Database Activity Reports
Report
All Database Events
Description
Use the All Database Events screen to search for and generate a report on the event types that are occurring.
Database Access Use the Database Access screen to search for and generate a report on all database server connections including user access and failed user access attempts.
Database Data Access Use the Database Data Access screen to search for and generate a report on user access and changes to your data for a specified time period.
Database Privilege
Modifications
Use the Database Privilege Modifications screen to search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation.
Database System
Modifications
Use the Database System Modifications screen to search for and generate a report on system database changes such as drops and table drops.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Database Activity report, and explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Database Activity Reports |
135
All Database Events Reports
To search for and generate a report on the event types that are occurring on specified database server log sources during a specified time interval, use the All
Database Events Real-Time Report.
Menu path: home: Reports > Database Activity > All Database Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
Table 36 All Database Events Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Database Database name on which the action occurred
DB User
Sys Priv
Database Object
Name
Status
Severity
OS User
Event Type ID
Event Type Name
Object Priv
Count
User name of the database user whose actions were audited
System privileges granted or revoked
Name of the object affected by the action
Status or return code of the action completion (numeric value)
Severity level of the event
Operating system login user name of the user whose actions were audited
Database vendor audit code for the action type
Type of database event such as DROP_TABLE, SQL_UPDATE, or
CREATE_TABLE (names vary by vendor)
Object privileges granted or revoked on the database object
Number of log entries returned with the given parameters
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
136
| Chapter 6 Generating Real-Time Reports
Database Access Report
To search for and generate a report on all database server connections, including user access and failed user access attempts, on specified database server log sources during a specified time interval, use the Database Access Real-Time
Report.
Menu path: home: Reports > Database Activity > Database Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
Table 37 Database Access Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent log data
Database Database name on which the action occurred
DB User
Sys Priv
Database Object
Name
Status
Severity
OS User
Event Type ID
Access Type
Object Priv
Count
User name of the database user whose actions were audited
System privileges granted or revoked
Name of the object affected by the action
Status or return code of the action completion (numeric value)
Severity level of the event
Operating system login user name of the user whose actions were audited
Database vendor audit code for the action type
The action or method used to access any database object
Object privileges granted or revoked on the database object
Number of log entries returned with the given parameters
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Database Activity Reports |
137
Database Data Access Report
To search for and generate a report on user access and changes to your data on specified database server log sources during a specified time interval, use the
Database Data Access Real-Time Report.
Menu path: home: Reports > Database Activity > Database Data Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, Event Type ID, Event Type Name, Count.
Table 38 Database Data Access Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent log data
Database Database name on which the action occurred
DB User
Sys Priv
Database Object
Name
Status
Severity
OS User
Event Type ID
Access Type
Object Priv
Count
User name of the database user whose actions were audited
System privileges granted or revoked
Name of the object affected by the action
Status or return code of the action completion (numeric value)
Severity level of the event
Operating system login user name of the user whose actions were audited
Database vendor audit code for the action type
The action or method used to access any database object
Object privileges granted or revoked on the database object
Number of log entries returned with the given parameters
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
138
| Chapter 6 Generating Real-Time Reports
Database Privilege Modifications Report
To search for and generate a report on database privilege changes, such as user reconfiguration and privilege manipulation, on specified database server log sources during a specified time interval, use the Database Privilege Modifications
Real-Time Report.
Menu path: home: Reports > Database Activity > Database Privilege
Modifications
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Modification Type, Object Priv, and
Count.
Table 39 Database Privilege Modifications Report Optional Filter Operators
Advanced Option Description
Source Device Description of the device that sent log data
Database Database name on which the action occurred
DB User
Sys Priv
Database Object
Name
Status
Severity
OS User
Event Type ID
Modification Type
Object Priv
Count
User name of the database user whose actions were audited
System privileges granted or revoked
Name of the object affected by the action
Status or return code of the action completion (numeric value)
Severity level of the event
Operating system login user name of the user whose actions were audited
Database vendor audit code for the action type
Modification action of a user, profile, or role privilege
Object privileges granted or revoked on the database object
Number of log entries returned with the given parameters
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Database Activity Reports |
139
Database System Modifications Report
To search for and generate a report on system database changes such as drops and table drops, use the Database System Modifications Real-Time Report.
Menu path: home: Reports > Database Activity > Database System
Modifications
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are selected: Source Device, Database, DB User, Database Object Name,
Access/Modification Type, and Count.
Table 40 Database System Modifications Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent log data
Database Database name on which the action occurred
DB User
Sys Priv
Database Object
Name
Status
Severity
OS User
User name of the database user whose actions were audited
System privileges granted or revoked
Name of the object affected by the action
Status or return code of the action completion (numeric value)
Severity level of the event
Operating system login user name of the user whose actions were audited
Event Type ID
Access/Modification
Type
Object Priv
Count
Database vendor audit code for the action type
Modification action of a user, profile, or role privilege
Object privileges granted or revoked on the database object
Number of log entries returned with the given parameters
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
140
| Chapter 6 Generating Real-Time Reports
IBM i5/OS Activity Reports
To search for and generate reports on various events occurring on your IBM i5/OS log sources, use IBM i5/OS Activity reports.
To access IBM i5/OS Activity reports
Choose home: Reports > IBM i5/OS Activity > report-name from the navigation menu, where report-name is any one of the following reports:
Table 41 IBM i5/OS Activity Reports
Report
All Log Entry Types
Description
Use the IBM i5/OS Activity All Log Entry
Types
screen to search for and generate a report on all recorded entry types.
System Object Access
User Access by
Connection
User Actions
Use the IBM i5/OS Activity System Object
Access
screen to search for and generate a report on all failed access attempts throughout the system.
Use the IBM i5/OS Activity User Access by
Connection
screen to search for and generate a report on all system access and system access attempts by user.
Use the IBM i5/OS Activity User Actions screen to search for and generate a report on all user actions performed and attempted.
User Jobs
Page
Use the IBM i5/OS Activity User Jobs screen to search for and generate a report on all jobs that users are running.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Database Activity report, and explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
IBM i5/OS Activity Reports |
141
All Log Entry Types Reports
To search for and generate a report on all recorded entry types, use the All Log
Entry Types Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > All Log Entry Types
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
Table 42 All Log Entry Types Reports Optional Filter Operators
Option
Source Device
Field
devIP
Description
IP address of the device that sent log data
Journal Type jrnEntryType
Journal Description jrnTypeDesc
Two-character Audit Journal record
(entry) type
Description of the journal entry type
Journal Job jobName
Journal User
Journal Number
Journal Program
Journal Library
Journal System Name
Journal Remote Port
Journal Remote
Address
Action
Action Description jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc
Name of the job that caused the entry to be created
Profile name of the user associated with
Journal Job
Job number of the Journal Job
Name of the program that created the entry
Program library
Name of the system where the journal resides
Remote port of the system associated with the journal entry
Network address of the system associated with this entry
An action associated with the entry type
Description of the action
User Guide
142
| Chapter 6 Generating Real-Time Reports
Table 42 All Log Entry Types Reports Optional Filter Operators (Cont’d)
Option
Attribute Name
Field
attribute
Description
Name of an attribute that was the target of the action
Attribute Description attributeDesc Description of the attribute (if available)
Destination Server destServer
DLO Folder
DLO User
Entry Type
Entry Description
Job Name
Job Number
Job User
Local IP Address
Object Library
Object Name
Object Type
Remote IP Address
DLOFolder
DLOUser entryType entryDesc jobName jobNumber jobUser lclIPadr lib obj objType rmtIPadr
Name of a remote workstation or server in a network event
Name of the Document Library Object folder
Name of the Document Library Object owner or user creating or accessing the
DLO
Type of event or entry in the journal type
(can be considered a subtype of the journal type)
Description of the entry
Name of the Journal Job or the job that was the target of the action described in the entry
Number of the Journal Number or the job that was the target of the action described in the entry
The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
Local IP address of the system involved in the network event
Library of the object that was acted on
Name of the object that was acted on
Type of object that was acted on
Remote IP address of the system involved in the network event
User Guide
IBM i5/OS Activity Reports |
143
Table 42 All Log Entry Types Reports Optional Filter Operators (Cont’d)
Option
Source Server
Field
srcServer
Description
Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status
Status Description status statusDesc
User ID/Profile
Journal Code
Count user details
(computed by the Appliance)
Status code
Description of the status code (if available)
A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Provides event details.
A count of action attempts, entries, or other count information; dependent on
Journal and Entry type
For information on saving the generated report, see Saving a Generated Report on page 119
.
System Object Access Reports
To search for and generate a report on all failed access attempts throughout the system, use the System Object Access Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > System Object Access
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
Table 43 System Object Access Reports Optional Filter Operators
Option
Source Device
Field
devIP
Description
IP address of the device that sent log data
Journal Type jrnEntryType
Journal Description jrnTypeDesc
Two-character Audit Journal record
(entry) type
Description of the journal entry type
User Guide
144
| Chapter 6 Generating Real-Time Reports
Table 43 System Object Access Reports Optional Filter Operators (Cont’d)
Option
Journal Job
Field
jobName
Description
Name of the job that caused the entry to be created
Journal User jrnUserName
Journal Number jrnJobNbr
Profile name of the user associated with
Journal Job
Job number of the Journal Job
Journal Program jrnPgm
Journal Library
Journal System Name
Journal Remote Port
Journal Remote
Address
Action
Action Description
Attribute Name
Attribute Description
Destination Server
DLO Folder
DLO User
Entry Type
Entry Description jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc attribute attributeDesc destServer
DLOFolder
DLOUser entryType entryDesc
Name of the program that created the entry
Program library
Name of the system where the journal resides
Remote port of the system associated with the journal entry
Network address of the system associated with this entry
An action associated with the entry type
Description of the action
Name of an attribute that was the target of the action
Description of the attribute (if available)
Name of a remote workstation or server in a network event
Name of the Document Library Object folder
Name of the Document Library Object owner or user creating or accessing the
DLO
Type of event or entry in the journal type
(can be considered a subtype of the journal type)
Description of the entry
User Guide
IBM i5/OS Activity Reports |
145
Table 43 System Object Access Reports Optional Filter Operators (Cont’d)
Option
Job Name
Field
jobName
Description
Name of the Journal Job or the job that was the target of the action described in the entry
Job Number jobNumber
Job User
Local IP Address
Object Library
Object Name
Object Type
Remote IP Address
Source Server
Status
Status Description
User ID/Profile
Journal Code
Count jobUser lclIPadr lib obj objType rmtIPadr srcServer status statusDesc user details
(computed by the Appliance)
Number of the Journal Number or the job that was the target of the action described in the entry
The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
Local IP address of the system involved in the network event
Library of the object that was acted on
Name of the object that was acted on
Type of object that was acted on
Remote IP address of the system involved in the network event
Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status code
Description of the status code (if available)
A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Provides event details.
A count of action attempts, entries, or other count information; dependent on
Journal and Entry type
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
146
| Chapter 6 Generating Real-Time Reports
User Access By Connection Reports
To search for and generate a report on all system access and system access attempts by users, use the User Access By Connection Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Access By Connection
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
Table 44 User Access By Connection Reports Optional Filter Operators
Option
Source Device
Field
devIP
Description
IP address of the device that sent log data
Journal Type jrnEntryType
Journal Description jrnTypeDesc
Two-character Audit Journal record
(entry) type
Description of the journal entry type
Journal Job jobName
Journal User
Journal Number
Journal Program
Journal Library
Journal System Name
Journal Remote Port
Journal Remote
Address
Action
Action Description jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc
Name of the job that caused the entry to be created
Profile name of the user associated with
Journal Job
Job number of the Journal Job
Name of the program that created the entry
Program library
Name of the system where the journal resides
Remote port of the system associated with the journal entry
Network address of the system associated with this entry
An action associated with the entry type
Description of the action
User Guide
IBM i5/OS Activity Reports |
147
Table 44 User Access By Connection Reports Optional Filter Operators (Cont’d)
Option
Attribute Name
Field
attribute
Description
Name of an attribute that was the target of the action
Attribute Description attributeDesc Description of the attribute (if available)
Destination Server destServer
DLO Folder
DLO User
Entry Type
Entry Description
Job Name
Job Number
Job User
Local IP Address
Object Library
Object Name
Object Type
Remote IP Address
DLOFolder
DLOUser entryType entryDesc jobName jobNumber jobUser lclIPadr lib obj objType rmtIPadr
Name of a remote workstation or server in a network event
Name of the Document Library Object folder
Name of the Document Library Object owner or user creating or accessing the
DLO
Type of event or entry in the journal type
(can be considered a subtype of the journal type)
Description of the entry
Name of the Journal Job or the job that was the target of the action described in the entry
Number of the Journal Number or the job that was the target of the action described in the entry
The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
Local IP address of the system involved in the network event
Library of the object that was acted on
Name of the object that was acted on
Type of object that was acted on
Remote IP address of the system involved in the network event
User Guide
148
| Chapter 6 Generating Real-Time Reports
Table 44 User Access By Connection Reports Optional Filter Operators (Cont’d)
Option
Source Server
Field
srcServer
Description
Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status
Status Description status statusDesc
Status code
Description of the status code (if available)
User ID/Profile user
Journal Code
Count details
(computed by the Appliance)
A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Provides event details.
A count of action attempts, entries, or other count information; dependent on Journal and Entry type
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Actions Reports
To search for and generate a report on all user actions performed and attempted, use the User Actions Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Actions
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
Table 45 User Actions Reports Optional Filter Operators
Option
Source Device
Field
devIP
Description
IP address of the device that sent log data
User Guide
IBM i5/OS Activity Reports |
149
Table 45 User Actions Reports Optional Filter Operators (Cont’d)
Option
Journal Type
Field
jrnEntryType
Description
Two-character Audit Journal record
(entry) type
Journal Description jrnTypeDesc Description of the journal entry type
Journal Job jobName
Journal User
Journal Number
Journal Program
Journal Library
Journal System Name
Journal Remote Port
Journal Remote
Address
Action
Action Description
Attribute Name
Attribute Description
Destination Server
DLO Folder
DLO User jrnUserName jrnJobNbr jrnPgm jrnPgmLib jrnSyName jrnRmtPort jrnRmtIPAdr action actionDesc attribute attributeDesc destServer
DLOFolder
DLOUser
Name of the job that caused the entry to be created
Profile name of the user associated with
Journal Job
Job number of the Journal Job
Name of the program that created the entry
Program library
Name of the system where the journal resides
Remote port of the system associated with the journal entry
Network address of the system associated with this entry
An action associated with the entry type
Description of the action
Name of an attribute that was the target of the action
Description of the attribute (if available)
Name of a remote workstation or server in a network event
Name of the Document Library Object folder
Name of the Document Library Object owner or user creating or accessing the
DLO
User Guide
150
| Chapter 6 Generating Real-Time Reports
Table 45 User Actions Reports Optional Filter Operators (Cont’d)
Option
Entry Type
Field
entryType
Description
Type of event or entry in the journal type
(can be considered a subtype of the journal type)
Entry Description
Job Name entryDesc jobName
Job Number
Job User
Local IP Address
Object Library
Object Name
Object Type
Remote IP Address
Source Server
Status
Status Description
User ID/Profile
Journal Code jobNumber jobUser lclIPadr lib obj objType rmtIPadr srcServer status statusDesc user details
Description of the entry
Name of the Journal Job or the job that was the target of the action described in the entry
Number of the Journal Number or the job that was the target of the action described in the entry
The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
Local IP address of the system involved in the network event
Library of the object that was acted on
Name of the object that was acted on
Type of object that was acted on
Remote IP address of the system involved in the network event
Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status code
Description of the status code (if available)
A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Provides event details.
User Guide
IBM i5/OS Activity Reports |
151
Table 45 User Actions Reports Optional Filter Operators (Cont’d)
Option
Count
Field
(computed by the Appliance)
Description
A count of action attempts, entries, or other count information; dependent on Journal and Entry type
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Jobs Reports
To search for and generate a report on all jobs that users are running, use the User
Jobs Real-Time Report.
Menu path: home: Reports > IBM i5/OS Activity > User Jobs
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
Table 46 User Jobs Reports Optional Filter Operators
Option
Source Device
Field
devIP
Description
IP address of the device that sent log data
Journal Type jrnEntryType
Journal Description jrnTypeDesc
Two-character Audit Journal record
(entry) type
Description of the journal entry type
Journal Job jobName
Journal User
Journal Number
Journal Program
Journal Library jrnUserName jrnJobNbr jrnPgm jrnPgmLib
Name of the job that caused the entry to be created
Profile name of the user associated with
Journal Job
Job number of the Journal Job
Name of the program that created the entry
Program library
User Guide
152
| Chapter 6 Generating Real-Time Reports
Table 46 User Jobs Reports Optional Filter Operators (Cont’d)
Option
Journal System Name
Field
jrnSyName
Description
Name of the system where the journal resides
Journal Remote Port jrnRmtPort
Journal Remote
Address
Action jrnRmtIPAdr action
Remote port of the system associated with the journal entry
Network address of the system associated with this entry
An action associated with the entry type
Action Description
Attribute Name actionDesc attribute
Attribute Description
Destination Server
DLO Folder
DLO User
Entry Type
Entry Description
Job Name
Job Number
Job User attributeDesc destServer
DLOFolder
DLOUser entryType entryDesc jobName jobNumber jobUser
Description of the action
Name of an attribute that was the target of the action
Description of the attribute (if available)
Name of a remote workstation or server in a network event
Name of the Document Library Object folder
Name of the Document Library Object owner or user creating or accessing the
DLO
Type of event or entry in the journal type
(can be considered a subtype of the journal type)
Description of the entry
Name of the Journal Job or the job that was the target of the action described in the entry
Number of the Journal Number or the job that was the target of the action described in the entry
The Journal User of profile name of the user associated with the job that was the target of the action described in the entry
User Guide
IBM i5/OS Activity Reports |
153
Table 46 User Jobs Reports Optional Filter Operators (Cont’d)
Option
Local IP Address
Field
lclIPadr
Description
Local IP address of the system involved in the network event
Object Library lib Library of the object that was acted on
Object Name
Object Type
Remote IP Address
Source Server
Status
Status Description
User ID/Profile
Journal Code
Count obj objType rmtIPadr srcServer status statusDesc user details
(computed by the Appliance)
Name of the object that was acted on
Type of object that was acted on
Remote IP address of the system involved in the network event
Name of a workstation or server where the audited event occurred, or that was the source system in a network event
Status code
Description of the status code (if available)
A user ID (UID) or user profile involved in the recorded event; typically the originator or target of the event
Provides event details.
A count of action attempts, entries, or other count information; dependent on
Journal and Entry type
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
154
| Chapter 6 Generating Real-Time Reports
Threat Management Reports
To search for and generate reports on information about threat management, use the Threat Management reports.
To access Threat Management reports
Choose home: Reports > Threat Management from the navigation menu:
Table 47 Threat Management Reports
Report
IDS/IPS Activity
Description
Use the IDS/IPS Activity screen to search for and generate a report on all attack activities from Intrusion
Detection/Prevention Systems (IDS/IPS).
Threat Activity
Page
Configuration Activity
Scan Activity
Security Summary
DB IPS Activity
Use the Threat Activity screen to search for and generate a report on threats detected, eliminated, quarantined, and detected but unable to be mitigated.
Use the Configuration Activity screen to search for and generate a report on the following data; signature file installed, software update, configuration loaded.
Use the Scan Activity screen to search for and generate a report on the following data; scan delayed, scan aborted.
Use the Security Summary screen to search for and generate a report on summarized user and computer activity alongside other product’s security interactions.
Use the DB IPS Activity screen to search for and generate a report on data (i.e. username, client/server IP addresses etc.) for various database intrusion prevention events.
User Guide
Threat Management Reports |
155
Table 47 Threat Management Reports (Cont’d)
Report
HIPS Activity
Description
Use the HIPS Activity screen to search for and generate a report on alerts from
IPS/IDS signatures, DDOS attacks and port scan occurrences.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for Real-Time Reports.
For information on saving the generated report, see Saving a Generated Report on page 119
.
IDS/IPS Activity Reports
To search for and generate a report on all attack activities from IDS/IPS systems, use the IDS/IPS Activity Real-Time Report.
Menu path: home: Reports > Threat Management > IDS/IPS Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Log Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:
Table 48 IDS/IPS Activity Report Optional Filter Operators
Option
Log Source IP
Description
IP address of the device that sent these log messages
Source IP
Source Port
IP address from which the attack originated
Port from which the attack originated
Destination IP IP address that was targeted
Destination Port Port that was targeted
Action Response of the intrusion prevention system (IPS) when it detects an attack reported by the IDS/IPS
Note
: If you do not have an IPS associated with your
IDS/IPS, you might not see any results if using this filter.
User Guide
156
| Chapter 6 Generating Real-Time Reports
Table 48 IDS/IPS Activity Report Optional Filter Operators (Cont’d)
Option
Signature ID
Description
Rule or numeric ID for the event
Note
: The Signature ID from the vendor might be more consistent than the Signature.
Protocol Protocol of the destination device
Signature
Sensor
Sensor IP
Classification
Priority
Count
Identifier from IDS/IPS for an event
Device that sends events to a collector analysis system
IP address of the device that detected the event
Type of attack
Priority level of the attack
Number of attacks.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Threat Activity Reports
To search for and generate a report on all threats detected, eliminated, quarantined, and detected but unable to be mitigated, use the Threat Activity
Real-Time Report.
Menu path: home: Reports > Threat Management > Threat Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User,
Action, Status, and Count:
Table 49 Threat Activity Report Optional Filter Operators
Option
Source Device
Description
IP address of the device that sent these log messages
Event ID Numeric ID corresponding to the source device
Event Type Type of event
User Guide
Threat Management Reports |
157
Table 49 Threat Activity Report Optional Filter Operators (Cont’d)
Option
Category
Description
The category of the event
Event Response
Status ID
Severity ID
Severity Name
User Name
Target User
Target Group
Threat Name
Response to the event
The ID of the status
The severity ID
The name of the severity code associated with the event
Name of the user who is making the inquiry
User for whom the inquiry is being made
Group for who the inquiry is being made
Name of the threat
Source IP
Destination IP
IP address from which the attack originated
IP address that was targeted
Destination Host Host that was targeted
Analyzer Name Name of the analyzer
Analyzer
Version
The version of the analyzer
Data Version
Action
Status
Count
The version of the data associated with the event
An action associated with the entry type
Status of the connection
Number of attacks.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Configuration Activity Reports
To search for and generate a report on all data such as; signature file installed, software update, and configuration loaded, use the Configuration Activity
Real-Time Report.
User Guide
158
| Chapter 6 Generating Real-Time Reports
Menu path: home: Reports > Threat Management > Configuration Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User
Name, Action, Status, and Count:
Table 50 Configuration Activity Report Optional Filter Operators
Option
Source Device
Description
Source device that sent these log messages
Event Name Name of the event
Event Type
Category
Severity ID
Severity Name
User Name
Target User
Name
Threat Type
Source IP
Destination IP
Analyzer Name
Analyzer
Version
Data Version
Action
Status
Count
Type of event
The category of the event
The severity ID
The name of the severity code associated with the event
Name of the user who is making the inquiry
User for whom the inquiry is being made
The type of threat associated with the event
IP address from which the attack originated
IP address that was targeted
Name of the analyzer
The version of the analyzer
The version of the data associated with the event
An action associated with the entry type
Status of the connection
Number of attacks.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Threat Management Reports |
159
Scan Activity Reports
To search for and generate a report on all scan delayed or scan aborted data, use the Scan Activity Real-Time Report.
Menu path: home: Reports > Threat Management > Scan Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Category , User Name, Target User
Name, Action, Status, and Count:
Table 51 Scan Activity Report Optional Filter Operators
Option
Source Device
Description
Source device that sent these log messages
Event Name
Event Type
Category
Event Response
Name of the event
Type of event
The category of the event
Severity ID
Severity Name
User Name
Target User
Name
Target Domain
The severity ID
The name of the severity code associated with the event
Name of the user who is making the inquiry
User for whom the inquiry is being made
Target Group
Threat Name
Threat Type
Source IP
Domain of the accessed Appliance
Group for whom the inquiry is being made
The name of the threat
The type of threat associated with the event
IP address from which the attack originated
Destination IP IP address that was targeted
Destination Port Port that was targeted
User Guide
160
| Chapter 6 Generating Real-Time Reports
Table 51 Scan Activity Report Optional Filter Operators (Cont’d)
Option
Analyzer Name
Description
Name of the analyzer
The version of the analyzer Analyzer
Version
Action
Status
Count
An action associated with the entry type
Status of the connection
Number of attacks.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Security Summary Reports
To search for and generate a report on all summarized user and computer activity alongside other product’s security interactions, use the Security Summary
Real-Time Report.
Menu path: home: Reports > Threat Management > Security Summary
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Source IP, Destination IP, User, and Count:
Table 52 Security Summary Report Optional Filter Operators
Option
Source Device
Description
Source device that sent these log messages
Source IP
Destination IP
IP address from which the attack originated
IP address that was targeted
Source Port Port from which the attack originated
Destination Port Port that was targeted
User
Source Host
User who is making the inquiry
Host from which the attack originated
User Guide
Threat Management Reports |
161
Table 52 Security Summary Report Optional Filter Operators (Cont’d)
Option Description
Destination Host Host that was targeted
Type
Event
Action
Status
Count
Type of connection
Type of event
An action associated with the entry type
Status of the connection
Number of attacks.
For information on saving the generated report, see Saving a Generated Report on page 119
.
DB IPS Activity Reports
To search for and generate a report on all data (i.e. username, client/server IP addresses etc.) for various database intrusion prevention events, use the DB IPS
Activity Real-Time Report.
Menu path: home: Reports > Threat Management > DB IPS Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Client IP, Database User, Database IP, SQL
Command, and Count:
Table 53 DB IPS Activity Report Optional Filter Operators
Option
Source Device
Description
Source device that sent these log messages
Session ID
Client IP
ID of the session
IP address of the client
Client Hostname Hostname of the client
End User IP IP address of the end user
Database User Name of the database user
User Guide
162
| Chapter 6 Generating Real-Time Reports
Table 53 DB IPS Activity Report Optional Filter Operators (Cont’d)
Option
Database IP
Description
IP address of the database
Hostname of the database Database
Hostname
Database Name
Schema
Service Name
Database Type
Database Port
SQL Command
Object name
Source Program
Count
Name of the database on which the action ocurred
The name of the service
The type of database
The database port
The name of the object
Number of attacks.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
HIPS Activity Reports
To search for and generate a report on all alerts from IPS/IDS signatures, DDOS attacks and port scan occurrences, use the HIPS Activity Real-Time Report.
Menu path: home: Reports > Threat Management > HIPS Activity
For this report, you can select to view various options in the generated report for your Appliance. Optional filter operators can be sorted in Ascending or
Descending order. Choose sort order using the drop-down menu. The default is to display only Source Device, Event Name, Target User, Threat Type, Source IP, and
Count:
Table 54 HIPS Activity Report Optional Filter Operators
Option
Source Device
Description
Source device that sent these log messages
User Guide
Threat Management Reports |
163
Table 54 HIPS Activity Report Optional Filter Operators (Cont’d)
Option
Event ID
Description
the ID of the event
Event Name Name of the event
Event Type
Event Response
Severity Name
The type of event
Target User
Threat Type
Source IP
Host IP
Name of the severity
User for whom the inquiry was made
The type of threat
IP address from which the attack originated
Host from which the attack originated
Destination IP IP address that was targeted
Destination Host Host that was targeted
Analyzer Name
Analyzer
Version
Object Name
Name of the analyzer
The version of the analyzer
Name of the object affected
Destination Port Port that was targeted
Target Process
Name
Name of the target process
Count Number of attacks.
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
164
| Chapter 6 Generating Real-Time Reports
Mail Activity Reports
To search for and generate reports on information about mail-related activities on mail server log sources, use Mail Activity reports.
The Report Information tab that appears when you click on home: Reports > Mail
Activity
lists which reports are available for each log source.
To access Mail Activity reports
Choose home: Reports > Mail Activity > report-name from the navigation menu, where report-name is any one of the following reports:
Table 55 Mail Activity Reports
Report
Exchange 2000/03
SMTP
Description
Use the Exchange 2000/03 SMTP screen to search for and generate a report on all
Exchange 2000/03 SMTP events recorded by your mail servers.
Exchange 2000/03
Activity
Exchange 2000/03
Delay
Exchange 2000/03
Size
Server Activity
Exchange 2007/10
Activity
Use the Exchange 2000/03 Activity screen to search for and generate a report on all mail server activity for your Microsoft Exchange servers.
Use the Exchange 2000/03 Delay screen to search for and generate a report on all delays in mail activity for your Microsoft Exchange servers.
Use the Exchange 2000/03 Size screen to search for and generate a report on mail size for all your Microsoft Exchange server mail activity.
Use the Server Activity screen to search for and generate a report on server activity,
Use the Exchange 2007/10 Activity screen to search for and generate a report on all mail server activity for your Microsoft Exchange servers.
Page
User Guide
Mail Activity Reports |
165
Table 55 Mail Activity Reports (Cont’d)
Report
Exchange 2007/10
Mail Size
Description
Use the Exchange 2007/10 Mail Size screen to search for and generate a report on mail size for all your Microsoft Exchange server mail activity.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Mail Activity report, and explained in their respective sections.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Exchange 2000/03 SMTP Reports
To search for and generate a report on all mail server activity for selected
Microsoft Exchange servers during a specified time interval, use the Exchange
2000/03 Activity Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 SMTP
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, all options are shown except the Source User, Source Host, Domain Name, and Time Taken (ms):.
Table 56 Exchange 2000/03 SMTP Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Source User User of the source device
Source IP
Source Host
Domain Name
Destination IP
Destination Port
IP address of the source device
Host name of the source device
Domain name of the source device
IP address of the destination device
Port of the destination device
User Guide
166
| Chapter 6 Generating Real-Time Reports
Table 56 Exchange 2000/03 SMTP Report Optional Filter Operators (Cont’d)
Option
Method
Description
Request method to obtain an object; for example, GET
URL Query
Status
Size
Time Taken (ms)
Count
URL requested
SMTP result codes
Number of bytes transferred
Time to complete the event
Number of cache views
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Exchange 2000/03 Activity Reports
To search for and generate a report on all delays in mail activity for selected
Microsoft Exchange servers during a specified time interval, use the Exchange
2000/03 Delay Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Recipient Domain, Status, and Count are shown:
Table 57 Exchange 2000/03 Activity Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender
Sender Domain
Recipient
Recipient Domain
Email address of the sender
Domain name of the sender’s email
Email address of the recipient
Domain name of the recipient’s email
User Guide
Mail Activity Reports |
167
Table 57 Exchange 2000/03 Activity Report Optional Filter Operators (Cont’d)
Option
Status
Description
Exchange status
Count Number of emails
For information on saving the generated report, see Saving a Generated Report on page 119
.
Exchange 2000/03 Delay Reports
To search for and generate a report on all mail server activity for selected
Microsoft Exchange servers during a specified time interval, use the Exchange
2000/03 Activity Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Delay
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Recipient Domain, Average Delay, Max Delay, and Count are shown:
Table 58 Exchange 2000/03 Delay Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender
Sender Domain
Recipient
Recipient Domain
Average Delay
Max Delay
Count
Email address of the sender
Domain name of the sender’s email
Email address of the recipient
Domain name of the recipient’s email
Average delay of each message
Maximum delay of each message
Number of emails
User Guide
168
| Chapter 6 Generating Real-Time Reports
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Exchange 2000/03 Size Reports
To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the
Exchange 2000/03 Size Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2000/03 Size
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Sender, Total Size (Bytes), Max Size (Bytes), Count, and Actual Count are shown:
Table 59 Exchange 2000/03 Size Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Message ID Numeric identifier of the message
Sender
Sender Domain
Recipient
Recipient Domain
Total Size (Bytes)
Max Size (Bytes)
Count
Actual Count
Email address of the sender
Domain name of the sender’s email
Email address of the recipient
Domain name of the recipient’s email
Total number of bytes transferred
Maximum number of bytes transferred
Number of emails
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Mail Activity Reports |
169
Server Activity Reports
To search for and generate a report on server activity, use the Server Activity
Real-Time Report.
Menu path: home: Reports > Mail Activity > Server Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Source IP, Source Port Destination IP, Destination Port , and Messages are shown:
Table 60 Server Activity Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Source IP IP address of the source host device
Source Port
Destination IP
Destination Port
Messages
Port of the source host device
IP address that was targeted
Port that was targeted
Number of log messages received representing this connection
For information on saving the generated report, see Saving a Generated Report on page 119
.
Exchange 2007/10 Activity Reports
To search for and generate a report on all delays in mail activity for selected
Microsoft Exchange servers during a specified time interval, use the Exchange
2007/10 Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2007/10 Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
170
| Chapter 6 Generating Real-Time Reports
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Sender, Recipent, and Count are shown:
Table 61 Exchange 2007/10 Activity Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Sender
Recipient
Source
Count
Email address of the sender
Email address of the recipient
Number of emails
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Exchange 2007/10 Mail Size Reports
To search for and generate a report on mail size for all server mail activity for selected Microsoft Exchange servers during a specified time interval, use the
Exchange 2007/10 Mail Size Real-Time Report.
Menu path: home: Reports > Mail Activity > Exchange 2007/10 Mail Size
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. By default, the Source Device,
Sender, Total Size (Bytes), Max Size (Bytes), and Count are shown:
Table 62 Exchange 2007/10 Mail Size Report Optional Filter Operators
Option
Source Device
Description
Name of the Microsoft Exchange device
Sender
Total Size (Bytes)
Max Size (Bytes)
Count
Email address of the sender
Total number of bytes transferred
Maximum number of bytes transferred
Number of emails
User Guide
Mail Activity Reports |
171
For information on saving the generated report, see Saving a Generated Report on page 119
User Guide
172
| Chapter 6 Generating Real-Time Reports
Network Activity Reports
To search for and generate reports on information about connections on log sources, use Network Activity reports.
To access Network Activity reports
Choose home: Reports > Network Activity > report-name from the navigation menu, where report-name is any one of the following:
Table 63 Network Activity Reports
Report
Accepted Connections
Description
Use the Accepted Connections screen to search for and generate a report on IP connections that were accepted by a log source.
Page
Active FW Connections Use the Active FW Connections screen to search for and generate a report on current active sessions from the selected firewall log sources.
Active VPN
Connections
Use the Active VPN Connections screen to search for and generate a report on current active sessions through Check Point
Interface, Cisco VPN 3000, Nortel
Connectivity, and RADIUS Acct Client log sources.
Application
Distribution
Denied Connections
FTP Connections
Use the Application Distribution screen to search for and generate a report on information about messages, grouped by application ports, that were accepted by a device.
Use the Denied Connections screen to search for and generate a report on connections denied by the selected firewall log sources.
Use the FTP Connections screen to search for and generate a report on syslog messages related to FTP traffic through the selected firewall log sources.
User Guide
Network Activity Reports |
173
Table 63 Network Activity Reports (Cont’d)
Report
VPN Access
Description
Use the VPN Access screen to search for and generate a report on the number of
VPN connections that the log source either completed or denied.
VPN Sessions
VPN Top Lists
Use the VPN Sessions screen to search for and generate a report on data about separate invocations of sessions on log sources during a specified time interval.
Use the VPN Top Lists screen to search for and generate a report on the top users and
IP addresses and statistics.
Page
Web Cache Activity
Web Surfing Activity
Use the Web Cache Activity screen to search for and generate a report on locally stored web information served during a specified time interval.
Use the Web Surfing Activity screen to search for and generate a report on web information served during a specified time interval.
DHCP Activity
DHCP
Granted/Renewed
Activity
Use the DHCP Activity screen to search for and generate a report on events related to all DHCP activity.
Use the DHCP Granted/Renewed Activity screen to search for and generate a report on events related to DHCP requests that were granted or renewed.
DHCP Denied Activity Use the DHCP Denied Activity screen to search for and generate a report on events related to DHCP requests that were denied.
NAT64 Activity Use the NAT64 Activity screen to search for and generate a report on each binding when sessions are built and distroyed.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Network Activity report, and explained in their respective sections.
User Guide
174
| Chapter 6 Generating Real-Time Reports
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Accepted Connections Reports
To search for and generate a report on IP connections that were accepted by selected firewall log sources during a specified time interval, use the Accepted
Connections Real-Time Report.
1. Accepted Connections data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.
2. To view the detail report, you must enable the Administration > System
Settings > General tab > Enable Accept Detail
option. This may require additional time and storage in downloading this report.
Menu path: home: Reports > Network Activity > Accepted Connections
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
Column headings differ for PIX and non-PIX devices.
Table 64 Accepted Connections Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Translated IP IP address as translated by the device
*
Source IP
Destination IP
Port
Protocol
Description
IP address of the source host (non-PIX devices only)
IP address of the destination host device (non-PIX devices only)
Port number (service) of the destination host
Protocol of the destination host
Description of the port (service)
User Guide
Network Activity Reports |
175
Table 64 Accepted Connections Report Optional Filter Operators (Cont’d)
Option
Messages
Description
Number of log messages received representing this connection
In Bytes
Out Bytes
Action
Number of incoming bytes (Check Point Interface, Cisco
PIX, and Juniper Firewall only)
Number of outgoing bytes (Check Point Interface, Cisco PIX, and Juniper Firewall only)
Accept or encrypt - Identifies if the connection was accepted or accepted with encryption (Check Point Interface only)
* Under certain conditions Network Address Translation (NAT) addresses can show up as 0.0.0.0 in real time reports such as Accepted Connections Reports.
This is not a bug since System Alert messages of a certain type (e.g.,
FWSM-4-106100 in Cisco Catalyst 6500 Series Switches) do not have a translated
(mapped) address present in the logs. Therefore, zero is correct because there is no relevant IP address in the parsed logs for FWSM-4-106100.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Active FW Connections Reports
To search for and generate a report on current active sessions through selected
Cisco PIX Firewall log sources, use the Active FW Connections Real-Time Report.
The Active Firewall Connection report is generated by monitoring the start and end messages of a particular connection in progress. Connections that have generated a start message but have not yet generated an end message are assumed to be active for a period of time before being timed-out.
Menu path: home: Reports > Network Activity > Active FW Connections
In Active FC Connections reports, you must specify the log source:
Table 65 Active FW Connections Screen Elements
Element
IP Address
Description
IP address for the log source
User Guide
176
| Chapter 6 Generating Real-Time Reports
Table 65 Active FW Connections Screen Elements (Cont’d)
Element
Port
Description
Port number for the log source
Protocol Protocol type (from the drop-down menu)
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.
Table 66 Active FW Connections Report Optional Filter Operators
Option
Create Time
Description
Time the session began
Connection
Protocol
Translated IP/Port
ID in the log message assigned to the unique connection
IP Protocol (TCP, UDP, etc.) of the connection
Public (NAT’ed) IP address of the source host (IP address only)
Source IP/Port IP address of the internal host device (IP address only)
Destination IP/Port IP address of the external host device (IP address only)
Direction Inbound or Outbound connection attempt
For information on saving the generated report, see
Saving a Generated Report on page 119
.
The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report
Active VPN Connections Reports
To search for and generate a report on current active sessions through selected
VPN and RADIUS log sources, use the Active VPN Connections Real-Time
Report.
Menu path: home: Reports > Network Activity > Active VPN Connections
User Guide
Network Activity Reports |
177
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:.
Table 67 Active VPN Connections Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Connections Number of log messages received representing connections
For information on saving the generated report, see Saving a Generated Report on page 119
The generated list displays in real-time. As a result, the last page of connections might be closed/no longer active by the time you scroll to the last page. This results in no data displaying in the last page of the report.
Application Distribution Reports
To search for and generate a report that summarizes accepted traffic by application ports through selected firewall log sources during a specified time interval, use the Application Distribution Real-Time Report.
1. The Application Distribution data is summarized in ten minutes and one hour. If the report time interval is less than two hours, the time range is cut to ten minutes, and if it is more than two hours, it is cut to one hour.
2. To view the detail report, you must enable the Administration > System Settings >
General tab > Enable Accept Detail option. This may require additional time and storage in downloading this report.
Menu path: home: Reports > Network Activity > Application Distribution
In addition to setting the common report options in
Preparing
Real-Time Report on page 116 , you can select optional filter operators in the
generated report.
User Guide
178
| Chapter 6 Generating Real-Time Reports
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
Table 68 Application Distribution Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Port
Protocol
Description
Messages
Description of the port (service)
Number of log messages received representing this connection
Src -> Dest Bytes Number of outbound bytes sent (not for Nortel VPN)
Bar Graph
Port number (service) of the connection
IP protocol (TCP, UDP, etc.) of the connection
Percentage
Dst -> Src Bytes
Percentage of total outbound bytes represented as a bar graph
Number of outbound bytes represented as a percentage
Number of inbound bytes received (not for Nortel VPN)
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Denied Connections Reports
To search for and generate a report on denied connections by selected firewall log sources during a specified time interval, use the Denied Connections Real-Time
Report.
Menu path: home: Reports > Network Activity > Denied Connections
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select:
• The type of information the Appliance aggregates for the generated report
User Guide
Network Activity Reports |
179
• Various optional filter operators in the generated report for your Appliance
Table 69 Denied Connections Report Summary Methods
Method
Src IP/Any-->
Any/Port
Description
Aggregates records from a specific Source IP and any port going to any destination IP and a specific destination port. The system derives the Source IP and destination port from your Device
Type and Source Device selections.
Src IP/Any -->
Dest IP/Port
Aggregates records from a specific Source IP and any port going to a specific Destination IP and specific Destination port. The system derives the Source IP and Destination IP from your Device Type and Source Device selections.
Denied by Port Aggregates records from the port numbers only
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following optional filter operators:
Table 70 Denied Connections Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Attempts
*
Src IP
Number of times log messages denied the connection
IP address of the source host device
Src Port
Dest IP
Dest Port
Protocol
Description
Access Group
Rules
Port number of the source host device
IP address of the destination host device
Port number of the destination host device
IP protocol (TCP, UDP, etc.) of the connection
Description of the destination port (service)
(Cisco PIX/ASA only) Lists any group of which you are a member
(Check Point Interface only) Condition set on the firewall to complete the security policy; identifies what is allowed and not allowed through a specific interface.
User Guide
180
| Chapter 6 Generating Real-Time Reports
Table 70 Denied Connections Report Optional Filter Operators (Cont’d)
Option
Policy ID
Description
Unique policy identifier of the device on the firewall
(Juniper Firewall only)
Direction (Check Point Interface, Cisco PIX/ASA/FWSM, Juniper
Firewall, and Nortel Connectivity only) Inbound or
Outbound connection attempt. Direction is stored as a number internally, for INBOUND use 1, for OUTBOUND use 2, and for INTERNAL use 3.
*
Note: “Attempts” for Cisco router by “src IP/any” will be larger than the number shown in the Denied Connections Report because IP packets are measured in this instance, instead of the actual number of messages sent.
For more information on saving the generated report, see Saving a Generated
.
FTP Connections Reports
To search for and generate a report on all syslog messages related to FTP traffic through the selected firewall device during a specified time interval, use the FTP
Connections Real-Time Report.
Menu path: home: Reports > Network Activity > FTP Connections
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
Table 71 FTP Connections Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Source Device IP IP address of the source device that sent these log messages
From
To
IP address of the source device
IP address of the destination device
User Guide
Network Activity Reports |
181
Table 71 FTP Connections Report Optional Filter Operators
Option
Count
Description
Number of times syslog messages related to FTP traffic were generated
For information on saving the generated report, see Saving a Generated Report on page 119
.
VPN Access Reports
To search for and generate reports on the VPN connections that the selected log sources either completed or denied during a specified time interval, use the VPN
Access Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display all the following options:
Table 72 VPN Access Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Public IP Public IP address originating the VPN connection
Group
User
Target User
Connections
Denies
Avg Duration
Byte Count
Avg Bandwidth
(Bytes/Sec)
VPN group of which the source device is a part
VPN user ID
VPN user ID of the originating VPN connection
Number of log messages received representing connections
Number of denied connection messages received
Average duration of each connection
Number of bytes transferred during the session
Average bandwidth used for each connection
User Guide
182
| Chapter 6 Generating Real-Time Reports
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
VPN Sessions Reports
To search for and generate a report on data about VPN sessions (including initiation and conclusion times) on selected log sources during a specified time interval, use the VPN Sessions Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Sessions
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. The default is to display only the Source
Device, User, Avg Duration, Avg Bytes, and Count.
Table 73 VPN Sessions Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
User User ID
Target User
Source IP
Target IP
Avg Duration
Avg Bytes
Count
User ID on the device with which the source device attempted to connect
IP address of the device that sent these log messages
IP address of the device with which the source device attempted to connect
Average duration of each connection
Average number of bytes
Number of VPN sessions
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Network Activity Reports |
183
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
VPN Top Lists Reports
To search for and generate a report on the top users, IP addresses, and other statistics, use the VPN Top Lists Real-Time Report.
Menu path: home: Reports > Network Activity > VPN Top Lists
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Choose the Method from the drop-down menu. The options are: Top Disconnect
Reasons, By IP Address, and By User. Depending on the method selection, the default column options will change. Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu.
The default is to display all the following options for Top Disconnect Reasons:
Table 74 VPN Top Lists Report Types
Report Type
Source Device
Description
The description of the source device
Connections Number of connections to the source device
Disconnect Reason Reason for disconnection
If you run a report for the Top Disconnect Reasons, the “unknown” that displays in the Disconnect Reasons column, represents the disconnect reasons reported by
RADIUS. If you have not properly plugged in your RADIUS server, all reasons display as “unknown”. Click a Connections number or Source Device to drill-down and view the Disconnect Details column. This column displays the
VPN syslog messages associated with the disconnect reason.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
184
| Chapter 6 Generating Real-Time Reports
Web Cache Activity Reports
To search for and generate a report on all URLs accessed through proxy or cache servers on specified log sources during a specified time interval, use the Web
Cache Activity Real-Time Report.
Menu path: home: Reports > Network Activity > Web Cache Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source IP, Destination IP, Status, Size, Filter Category, Filter Result, and
Count:
Table 75 Web Cache Activity Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Source User User of the source device
Source IP
Source Host
Domain Name
Destination IP
IP address of the source device
Host name of the source device
Domain name of the source device
IP address of the destination device
Destination Port Port of the destination device
Peer IP IP address of the peer device
Peer Host
Peer Status
Host name of the peer device
A code that explains how the request was handled; for example, by forwarding it to a peer or returning the request to the source
Method
URL
Cache Code
Status
Request method to obtain an object; for example, GET
URL requested
Information on the result of the transaction: the kind of request, how it was satisfied, or in what way it failed
HTTP result codes
User Guide
Network Activity Reports |
185
Table 75 Web Cache Activity Report Optional Filter Operators (Cont’d)
Option
Type
Description
Content type of the object as seen in the HTTP reply header
Size
Filter Category
Filter Result
Count
Number of bytes transferred
The category of the filter
The results after using the filter
Number of cache views
When you drill down on Web Cache Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Web Surfing Activity Report
To search for and generate a report on all URLs accessed via firewalls or web servers on selected log sources during a specified time interval, use the Web
Surfing Activity Real-Time Report.
Menu path: home: Reports > Network Activity > Web Surfing Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device IP, Source IP, Destination IP, Status, Size, and Count:
Table 76 Web Surfing Activity Report Optional Filter Operators
Option
Source Device IP
Description
IP address of the device that sent these log messages
Source User
Source IP
Source Host
User ID of the source device
IP address of the device originating the connection
Host name of the source device
User Guide
186
| Chapter 6 Generating Real-Time Reports
Table 76 Web Surfing Activity Report Optional Filter Operators (Cont’d)
Option
Domain Name
Description
Domain name of the source device
Destination IP
Destination Port
Method
URL
Status
Type
Size
User Agent
Referred By
Count
IP address of the destination device
Port of the destination device
Request method to obtain an object; for example, GET
URL requested
HTTP result codes
Content type of the object as seen in the HTTP reply header
Number of bytes transferred
Number of syslog messages received for this connection and status code
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see
Saving a Generated Report on page 119
DHCP Activity Report
To search for and generate a report on events related to all DHCP activity, use the
DHCP Activity Real-Time Report.
Menu path: home: Reports > Network Activity > DHCP Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Network Activity Reports |
187
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:
Table 77 DHCP Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
MAC Address
Client Name
Lease Address
Action
Status
Count
MAC IP address
Name of the client
Action taken
Status of the activity
Number of connections
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see
Saving a Generated Report on page 119
DHCP Granted/Renewed Activity Report
To search for and generate a report on events related to DHCP requests that were granted or renewed, use the DHCP Granted/Renewed Activity Real-Time
Report.
Menu path: home: Reports > Network Activity > DHCP Granted/Renewed
Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
188
| Chapter 6 Generating Real-Time Reports
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:
Table 78 DHCP Granted/Renewed Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
MAC Address
Client Name
Lease Address
Action
Status
Count
MAC IP address
Name of the client
Action taken
Status of the activity
Number of connections
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
DHCP Denied Activity Report
To search for and generate a report on events related to DHCP requests that were denied, use the DHCP Denied Activity Real-Time Report.
Menu path: home: Reports > Network Activity > DHCP Denied Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, MAC Address, Client Name, Lease Address, Action, Status, and Count:
Table 79 DHCP Denied Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Guide
Network Activity Reports |
189
Table 79 DHCP Denied Activity Report Optional Filter Operators (Cont’d)
Option
MAC Address
Description
MAC IP address
Name of the client Client Name
Lease Address
Action
Status
Count
Action taken
Status of the activity
Number of connections
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
NAT64 Activity Report
To search for and generate a report on each binding when sessions are built and distroyed, use the NAT64 Activity Real-Time Report.
Menu path: home: Reports > Network Activity > NAT64 Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Time, Translated IPv6, Original IPv4, Original IPv6 Port, Original IPv4
Port, and Count:
Table 80 DHCP Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Time
Translated IPv6
Original IPv4
Time of connection
The translated IPv6 address
The original IPv4 address
User Guide
190
| Chapter 6 Generating Real-Time Reports
Table 80 DHCP Activity Report Optional Filter Operators (Cont’d)
Option
Original IPv6 port
Description
The port of the original IPv6
Original IPv4 port
Count
The port for the original IPv4
Number of connections
When you drill down on Web Surfing Activity report’s results, there is no default sort-by selection. The drill-down results are generally in order by time. If you specify a sort-by selection for this report's drill-down, performance in generating the drill-down results is slower.
For information on saving the generated report, see
Saving a Generated Report on page 119
User Guide
Operational Reports |
191
Operational Reports
To search for and generate reports on information about syslog messages on log sources, use Event Logs reports.
The Report Information tab that appears when you click on home: Reports >
Operational
lists which reports are available for each log source.
To access Event Logs reports
Choose home: Reports > Operational report-name from the navigation menu, where report-name is any one of following reports:
Table 81 Operational Reports
Report
All Unparsed
Events
Description
Use the All Unparsed Events screen to search for and generate a report on unparsed syslog messages for selected devices.
Firewall
Statistics
Use the Firewall Statistics screen to search for and generate a report summarizing firewall syslog messages classified as security messages.
Page
Total Message
Count
Security Events Use the Security Events screen to search for and generate a report on firewall syslog messages classified as security messages.
System Events Use the System Events screen to search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages.
VPN Events
Use the Total Message Count screen to search for and generate a report summarizing firewall or
Nortel VPN device syslog messages classified as system messages.
Use the VPN Events screen to search for and generate a report on the number of Cisco VPN syslog messages that appear with the type called
“System Type”.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Event Logs report, and explained in their respective sections.
User Guide
192
| Chapter 6 Generating Real-Time Reports
For information on saving the generated report, see
Saving a Generated Report on page 119
.
All Unparsed Events Reports
To search for and generate a report on syslog messages that are not parsed into the
Security, System, or VPN Events reports, or into any other report table (for example, Authentication) for selected log sources during a specified time interval, use the All Unparsed Events Real-Time Report.
Menu path: home: Reports > Operational > All Unparsed Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators are not visible if you select the Boolean Search in the
Search Filter criteria.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
Table 82 All Unparsed Events Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent the log messages
Source Device IP IP address of the source device that sent the log messages
Facility
Severity
Count
Syslog facility associated with the message
Severity code associated with the message
Number of times syslog messages were generated
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Firewall Statistics Reports
To search for and generate a summary report of event types and messages per firewall, for selected log sources during a specified time interval, use the All
Unparsed Events Real-Time Report.
Menu path: home: Reports > Operational > Firewall Statistics
User Guide
Operational Reports |
193
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators are not visible if you select the Boolean Search in the
Search Filter criteria.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
Table 83 Firewall Statistics Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent the log messages
System Messages
Security Messages
Accepted Messages
Denied Messages
Total Messages
The number of system messages
The number of security messages
The number of accepted messages
The number of denied messages
The total number of messages
For information on saving the generated report, see Saving a Generated Report on page 119
.
Total Message Count Reports
To search for and generate a summary report of log messages for selected log sources at a specified time interval, use the Total Message Count Report.
Menu path: home: Reports > Operational > Total Message Count
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators are not visible if you select the Boolean Search in the
Search Filter criteria.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
Table 84 Total Message Count Report Optional Filter Operators
Option
Time
Description
Time the syslog message was generated
User Guide
194
| Chapter 6 Generating Real-Time Reports
Table 84 Total Message Count Report Optional Filter Operators (Cont’d)
Option
Source Device
Description
Description of the device that sent the log messages
Messages The total number of messages
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Security Events Reports
To search for and generate a report on firewall syslog messages classified as security messages for selected log sources during a specified time interval, use the
Security Events Real-Time Report.
Menu path: home: Reports > Operational > Security Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. By default, the following options are all selected:
Table 85 Security Events Report Optional Filter Operators
Option
Source Device
Description
Description of the device originating the connection
Source Device IP
Message Code
Message Code
Description
Module
IP address of the source device
Code number of the security message
Description of the security message (Cisco PIX only)
Juniper Netscreen module name, that is, system (Juniper
Firewall only)
User Guide
Operational Reports |
195
Table 85 Security Events Report Optional Filter Operators (Cont’d)
Option
Severity
Description
The severity codes are listed below:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
(Juniper Firewall only)
Count Number of syslog messages classified as security messages generated
For information on saving the generated report, see Saving a Generated Report on page 119
.
System Events Reports
To search for and generate a report on firewall or Nortel VPN device syslog messages classified as system messages for selected log sources during a specified time interval, use the System Events Real-Time Report.
Menu path: home: Reports > Operational > System Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
Optional filter operators can be sorted in ascending or descending order. Choose sort order using the drop-down menu. Optional filter operators are not visible if you select Boolean Search in the Search Filter criteria. By default, the following options are all selected:
Table 86 System Events Report Optional Filter Operators
Option
Source Device
Description
Description of the device that sent these log messages
Source Device IP IP address of the source device that sent these log messages
Message Code Code number of the system message
User Guide
196
| Chapter 6 Generating Real-Time Reports
Table 86 System Events Report Optional Filter Operators (Cont’d)
Option
Message Code
Description
Description
Description of the system message (Cisco PIX only)
Module
Severity
Juniper Netscreen module name, that is, system (Juniper
Firewall only)
The severity codes are listed below:
0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages
(Juniper Firewall only)
Count Number of system messages received for the specified code
For information on saving the generated report, see
Saving a Generated Report on page 119
.
VPN Events Reports
To search for and generate a report on Cisco VPN, CheckPoint VPN, Nortel VPN, or RADIUS syslog messages of the System Message type for selected log sources during a specified time interval, use the VPN Events Real-Time Report.
Menu path: home: Reports > Operational > VPN Events
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
By default, the following options are all selected:
Table 87 VPN Events Report Optional Filter Operators
Option
Time
Description
Time the syslog message was generated
Source Device IP address of the device originating the connection
User Guide
Operational Reports |
197
Table 87 VPN Events Report Optional Filter Operators (Cont’d)
Option
Group
Description
VPN group name
User
Public IP
Severity
Code
Area
Detail Message
VPN user ID
Public IP address originating the VPN connection
Severity Code associated with the message
Code number of the system message
Name of the defined VPN area
Text of the syslog message
For information on saving the generated report, see Saving a Generated Report on page 119
.
Appliances cannot receive disconnected messages. A VPN session is recorded permanently in the database table authentication after it is disconnected, prior to that the session is considered active. A Check Point VPN session is considered disconnected when a new connection attempt is made by the same user from the same IP address.
User Guide
198
| Chapter 6 Generating Real-Time Reports
Policy Reports
To search for and generate reports on information about policies that were exercised on a log source, use Policy reports.
The Report Information tab that appears when you click on home: Reports >
Policy Reports
lists which reports are available for each log source.
To access Policy Reports
Choose home: Reports > Policy Reports > report-name from the navigation menu, where report-name is one of:
Table 88 Policy Reports
Report
Check Point
Policies
Reports Provide
The Check Point Policies report lists current
Check Point Firewall policy rules on log sources connected to your Appliance.
Network Policies
Rules/Policies
Use the Network Policies screen to search for and generate a report on the number of times a particular network policy has been exercised by a selected firewall device.
Use the Rules/Policies screen to search for and generate a report on enforcement of a particular rule or policy by a selected firewall device.
ECM Policy Use the ECM Policy screen to search for and generate a report on data leak protection events captured by the log source device.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.
Optional filter operators are different for each Policy report, and explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Policy Reports |
199
Check Point Policies Reports
To search for and generate a report listing current Check Point Firewall policy rules on log sources connected to your Appliance, use the Check Point Policy
Real-Time Report.
Menu path: home: Reports > Policy Reports > Check Point Policy
Table 89 Check Point Policy Screen Elements
Element Description
LEA Server LEA servers connected to your system.
Package
Rule Index
Rule
Security package that Check Point organizes for policy rules.
For example, you can install one package on a firewall, but you can define several packages at the same time.
Rule numbers (represents Check Point indices) the CPMI process retrieves. You can view Check Point policy rules only if you configured your LEA server to use auto discovery (CPMI).
Note:
Rule 0 is not assigned by Check Point. It is assigned by
LogLogic as a default for parsed messages that do not automatically have a rule number assigned by Check Point.
Description for the rule.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Network Policies Reports
To search for and generate a report on the number of times a particular network policy has been exercised by selected firewall log sources during a specified time interval, use the Network Policies Real-Time Report.
Menu path: home: Reports > Policy Reports > Network Policies
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
200
| Chapter 6 Generating Real-Time Reports
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Log
Source IP, Source IP, Destination IP, Destination Port, Signature, and Count:
Table 90 Network Policies Report Optional Filter Operators
Option
Log Source IP
Description
IP address of the device that sent these log messages
Source IP
Source Port
Destination IP
Destination Port
Protocol
Signature
Classification
Priority
Count
IP address of the device that exercised the policy
Port of source device
IP address of the destination device
Port of the destination device
Protocol of the destination device
Identifier of the policy
Classification of the policy
Priority of the policy
Number of times a policy was exercised
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Rules/Policies Reports
To search for and generate a report on information about enforcement of a particular rule or policy by selected firewall devices during a specified time interval, use the Rules/Policies Real-Time Report.
Menu path: home: Reports > Policy Reports > Rules/Policies
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Policy Reports |
201
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display all the following options:
Table 91 Rules/Policies Report Optional Filter Operators
Option
Interface
Description
Name (or IP address) of the network interface that enforced the policy
Rule Rule number that was enforced (Check Point Interface only)
Policy
Type
Messages
Bar Graph
Percentage
Package
Rule Description
Policy number that was enforced
Type of rule/policy that was enforced
Number of messages received representing this policy
Number of messages received expressed as a bar graph
Number of messages received expressed as a percentage
Security policy package (Check Point Interface only)
Displays Rule Details: Source, Destination, Service
Description and Rule Actions: Permit, Deny, etc. (Check
Point Interface only)
For information on saving the generated report, see Saving a Generated Report on page 119
.
ECM Policy Reports
To search for and generate a report on data leak protection events captured by the log source device
use the ECM Policy Real-Time Report.
Menu path: home: Reports > Policy Reports > ECM Policy
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
202
| Chapter 6 Generating Real-Time Reports
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source Device IP, Performer Name, Parent Name, Event, Event Name, and Count:
Table 92 ECM Policy Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Source Device IP
Performer Name
Parent Name
Object Name
Event
Event Name
Source Name
Count
IP address of the device that exercised the policy
Name of the performer
Name of the parent
Name of the object that was acted on
The type of event
Name of the event
Name of the source host device
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Enterprise Content Management |
203
Enterprise Content Management
To search for and generate reports on information about enterprise content management, use Enterprise Content Management reports.
The Report Information tab that appears when you click on home: Reports >
Enterprise Content Management Reports
lists which reports are available for each log source.
To access Enterprise Content Management Reports
Choose home: Reports > Enterprise Content Management Reports > report-name from the navigation menu, where report-name is one of:
Table 93 Policy Reports
Report
ECM Activity
Reports Provide
Use the ECM Activity screen to generate a report for ECM activity.
Content
Management
Page
Security Settings
Expiration and
Disposition
Use the Content Management screen to generate a report containing logs of events which correspond to some action done on the contents of the site.
Use the Security Settings screen to generate a report containing logs of all the events related to creation, deletion, modification of user/group/roles.
Use the Expiration and Dispostion screen to generate a report containing logs of all events related to object expiration and dispostion approvals.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports. Check Point Policy reports do not include the common options shared by other Real-Time Reports.
Optional filter operators are different for each Enterprise Content Management report, and explained in their respective sections.
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
204
| Chapter 6 Generating Real-Time Reports
ECM Activity Reports
To search for and generate a report on ECM activity use the ECM Activity
Real-Time Report.
Menu path: home: Reports > Enterprise Content Management Reports > ECM
Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source Device IP, Performer Name, Parent Name, Event, and Count:
Table 94 ECM Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Source Device IP IP address of the device that exercised the policy
Performer Name
Parent Name
Object Name
Event
Event Name
Source Name
Source IP
Destination IP
Source Port
Destination Port
Protocol
Count
Name of the performer
Name of the parent
Name of the object that was acted on
The type of event
Name of the event
Name of the source host device
IP address of the source host
IP address that was targeted
Port ffrom which the attack originated
Port that was targeted
Protocol of the destination devce
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
Enterprise Content Management |
205
Content Management Reports
To search for and generate a report containing logs of events which correspond to some action done on the contents of the site use the Content Management
Real-Time Report.
Menu path: home: Reports > Enterprise Content Management Reports >
Content Management
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source Device IP, Performer Name, Parent Name, Objec tType, Event, and
Count:
Table 95 Content Management Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Source Device IP IP address of the device that exercised the policy
Performer Name
Parent Name
Object Type
Object Name
Event
Event Name
Source Name
Count
Name of the performer
Name of the parent
Type of object that was acted on
Name of the object that was acted on
The type of event
Name of the event
Name of the source host device
Number of attacks
For information on saving the generated report, see Saving a Generated Report on page 119
.
Security Settings Reports
To search for and generate a report containing logs of all the events related to creation, deletion, modification of user/group/roles use the Security Settings
Real-Time Report.
User Guide
206
| Chapter 6 Generating Real-Time Reports
Menu path: home: Reports > Enterprise Content Management Reports >
Security Settings
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source Device IP, Performer Name, Parent Name, Event, and Count:
Table 96 Security Settings Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Source Device IP
Performer Name
Parent Name
Object Name
Event
Event Name
Source Name
Count
IP address of the device that exercised the policy
Name of the performer
Name of the parent
Name of the object that was acted on
The type of event
Name of the event
Name of the source host device
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Expiration and Disposition Reports
To search for and generate a report containing logs of all events related to object expiration and dispostion approvals use the Expiration and Disposition
Real-Time Report.
Menu path: home: Reports > Enterprise Content Management Reports >
Expiration and Disposition
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Enterprise Content Management |
207
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Source Device IP, Performer Name, Parent Name, Object Name, Event,
Event Name, and Count:
Table 97 Expiration and Dispostion Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Source Device IP
Performer Name
Parent Name
Object Name
Event
Event Name
Source Name
Count
IP address of the device that exercised the policy
Name of the performer
Name of the parent
Name of the object that was acted on
The type of event
Name of the event
Name of the source host device
Number of attacks
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
208
| Chapter 6 Generating Real-Time Reports
HP NonStop Audit
To search for and generate reports on information about HP NonStop systems and generate Audit and EMS log data , use HP NonStop Audit reports.
The Report Information tab that appears when you click on home: Reports > HP
NonStop Audit Reports
lists which reports are available for each log source.
To access HP NonStop Audit Reports
Choose home: Reports > HP NonStop Audit Reports > report-name from the navigation menu, where report-name is one of:
Table 98 HP NonStop Audit Reports
Report
Configuration
Changes
Reports Provide
Use the Configuration Changes screen to generate a report for all configuration changed done on an HP NonStop server during a specified time.
Page
Failed and
Successful Logins
Object Changes
HP NonStop Audit
Activity
User Actions
Object Access
Use the Failed and Successful Logins screen to generate a report for all successful and failed logins on an HP NonStop Audit server.
Use the Object Changes screen to generate a report for all objects that are accessed on an HP
NonStop Audit server.
Use the HP NonStop Audit Activity screen to generate a report for all audit activities on an
HP NonStop Audit server
Use the User Actions screen to generate a report for all user actions done on an HP
NonStop Audit server.
Use the Object Access screen to generate a report for a list of all objects created, deleted, or modified on an HP NonStop Audit server.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each HP NonStop Audit report, and explained in their respective sections.
User Guide
HP NonStop Audit |
209
For information on saving the generated report, see Saving a Generated Report on page 119
.
Configuration Changes Reports
To search for and generate a report on all configuration changes done on an HP
NonStop server during a specified time use the Configuration Changes Real-Time
Report.
Menu path: home: Reports > HP NonStop Audit Reports > Configuration
Changes
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 99 Configuration Changes Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
User Guide
210
| Chapter 6 Generating Real-Time Reports
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Failed and Successful Logins Reports
To search for and generate a report for all successful and failed logins on an HP
NonStop Audit server use the Failed and Successful Logins Real-Time Report.
Menu path: home: Reports > HP NonStop Audit Reports > Failed and
Successful Logins
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 100 Failed and Successful Logins Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
HP NonStop Audit |
211
Object Changes Reports
To search for and generate a report for all objects that are accessed on an HP
NonStop Audit server use the Object Changes Real-Time Report.
Menu path: home: Reports > HP NonStop Audit Reports > Object Changes
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
YYou can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 101 Object Changes Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
212
| Chapter 6 Generating Real-Time Reports
HP NonStop Audit Activity Reports
To search for and generate a report for all audit activities on an HP NonStop
Audit server use the HP NonStop Audit Activity Real-Time Report.
Menu path: home: Reports > HP NonStop Audit Reports > HP NonStop Audit
Activity
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 102 HP NonStop Audit Activity Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
HP NonStop Audit |
213
User Actions Reports
To search for and generate a report for all user actions done on an HP NonStop
Audit server use the User Actions Real-Time Report.
Menu path: home: Reports > HP NonStop Audit Reports > User Actions
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 103 User Actions Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
214
| Chapter 6 Generating Real-Time Reports
Object Access Reports
To search for and generate a report for a list of all objects created, deleted, or modified on an HP NonStop Audit server use the Object Access Real-Time
Report.
Menu path: home: Reports > HP NonStop Audit Reports > Object Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User Name, Creator User Name, Target User, Event Name, Action, Status, and Count:
Table 104 Object Access Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User Name Name of the user making the inquiry
Creator User Name
Target User
User Group
Reported Time
Process Name
Event Name
Object Type
Action
Status
Count
Username of the creator
User for whom the inquiry is being made
Name of the group
Time the event was reported
Name of the process
Name of the event
Type of object that was acted on
Action taken
Status of the connection
Number of attacks
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
IBM z/OS Activity |
215
IBM z/OS Activity
To search for and generate reports on information about IBM z/OS system generated operational and audit logs in binary format , use IBM z/OS Activity reports.
The Report Information tab that appears when you click on home: Reports > IBM
z/OS Activity Reports
lists which reports are available for each log source.
To access IBM z/OS Activity Reports
Choose home: Reports > IBM z/OS Activity Reports > report-name from the navigation menu, where report-name is one of:
Table 105 IBM z/Activity Reports
Report
Resource Access
Reports Provide
Use the Resource Access screen to generate a report for resource access on z/OS.
Page
Security
Modifications
System
Access/Configurati on
Unix System
Services
Login/Logout
Violation
Use the Security Modification screen to generate a report for security modification on z/OS.
Use the System Access/ Configuration screen to generate a report for access and configuration on z/OS.
Use the Unix System Services screen to generate a report for Unix system services on z/OS.
Use the Login/Logout screen to generate a report for login and logout activities on z/OS.
Use the Violation screen to generate a report for violation activities on z/OS.
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each IBM z/OS report, and explained in their respective sections.
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
216
| Chapter 6 Generating Real-Time Reports
Resource Access Reports
To search for and generate a report on resource access on z/OS use the Resource
Access Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > Resource Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Action, Status, and Count:
Table 106 Resource Access Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID The ID of the record type
Record Type
Description
Description of the record type
SubType Description Description of the sub type
Event Type Type of event in the journal type
Logon ID/User ID
Job Name
Target Object Name
Target Object Type
Action
A user ID or login ID involved in the recorded event
Name of the journal job or the job that was the target of the action described in the entry
Name of the object that was acted on
Type of target object that was acted on
Action taken
Status
Count
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
User Guide
IBM z/OS Activity |
217
Security Modifications Reports
To search for and generate a report for security modification activities on z/OS use the Security Modifications Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > Security Modifications
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Event Type, Action, Status, and Count:
Table 107 Security Modifications Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID The ID of the record type
Record Type
Description
Description of the record type
SubType Description Description of the sub type
Event Type Type of event in the journal type
Logon ID/User ID
Job Name
Target Object Name
Target Object Type
Action
A user ID or login ID involved in the recorded event
Name of the journal job or the job that was the target of the action described in the entry
Name of the object that was acted on
Type of target object that was acted on
Action taken
Status
Count
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
218
| Chapter 6 Generating Real-Time Reports
System Access/Configuration Reports
To search for and generate a report for access and configuration activities on z/OS use the System Access/Configuration Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > System Access/Configuration
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Event Type, Action, Status, and Count:
Table 108 System Access/Configuration Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID The ID of the record type
Record Type
Description
Description of the record type
SubType Description Description of the sub type
Event Type Type of event in the journal type
Logon ID/User ID
Job Name
Action
Status
Count
A user ID or login ID involved in the recorded event
Name of the journal job or the job that was the target of the action described in the entry
Action taken
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Unix System Services Reports
To search for and generate a report for Unix system services on z/OS use the Unix
System Services Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > Unix System Services
User Guide
IBM z/OS Activity |
219
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Event Type, Action, Status, and Count:
Table 109 Unix System Services Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID
Record Type
Description
The ID of the record type
Description of the record type
SubType Description Description of the sub type
Event Type
Logon ID/User ID
Job Name
Type of event in the journal type
A user ID or login ID involved in the recorded event
Name of the journal job or the job that was the target of the action described in the entry
Target Object Name
Target Object Type
Action
Status
Count
Name of the object that was acted on
Type of target object that was acted on
Action taken
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see Saving a Generated Report on page 119
.
Login/Logout Reports
To search for and generate a report for login and logout activities on z/OS use the
Login/Logout Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > Login/Logout
User Guide
220
| Chapter 6 Generating Real-Time Reports
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Event Type, Action, Status, and Count:
Table 110 Login/Logout Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID
Record Type
Description
The ID of the record type
Description of the record type
SubType Description Description of the sub type
Event Type
Logon ID/User ID
Target User
Job Name
Type of event in the journal type
A user ID or login ID involved in the recorded event
User for whom inquiry is being made
Name of the journal job or the job that was the target of the action described in the entry
Action taken Action
Status
Count
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Violation Reports
To search for and generate a report for violation activities on z/OS use the
Violation Real-Time Report.
Menu path: home: Reports > IBM z/OS Activity > Violation
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
IBM z/OS Activity |
221
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Record Type Description, Event Type, Action, Status, and Count:
Table 111 Violation Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Record Type ID
Record Type
Description
The ID of the record type
Description of the record type
SubType Description Description of the sub type
Event Type
Logon ID/User ID
Target User
Job Name
Type of event in the journal type
A user ID or login ID involved in the recorded event
User for whom inquiry is being made
Name of the journal job or the job that was the target of the action described in the entry
Name of the object that was acted on Target Object Name
Target Object Type
Violation Ocurred
Type of target object that was acted on
Action
Status
Count
Action taken
Status of the connection
A count of action attempts, entries, or other count information depentant on journal and entry type.
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
222
| Chapter 6 Generating Real-Time Reports
Storage Systems Activity
To search for and generate reports on information about file and directory access, use Storage Systems Activity reports.
The Report Information tab that appears when you click on home: Reports >
Storage Systems Activity Reports
lists which reports are available for each log source.
To access Storage Systems Activity Reports
Choose home: Reports > Storage Systems Activity Reports > report-name from the navigation menu, where report-name is one of:
Table 112 Storage Systems Activity Reports
Report
Filer Access
Reports Provide
Use the Filer Access screen to generate a report for individual file and directory access events such as; user, timestamp, result, etc. on z/OS.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Storage Systems Activity report, and explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Filer Access Reports
To search for and generate a report
f
or individual file and directory access events use the Filer Access Real-Time Report.
Menu path: home: Reports > Storage Systems Activity > Filer Access
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Storage Systems Activity |
223
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, User, Filer IP, Filer Name, Action, Status, and Count:
Table 113 Filer Access Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
User
Source IP
Target User
Filer IP
Filer Name
Action
Status
Count
User who is making the inquiry
IP address of the source host device
User for whom inquiry is being made
IP address of the filer name of the filer
Action taken
Status of the connection
Number of connections
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Guide
224
| Chapter 6 Generating Real-Time Reports
Flow Activity
To search for and generate reports on information about application usage, user browsing and top users, use Flow Activity reports.
The Report Information tab that appears when you click on home: Reports >
Flow Activity Reports
lists which reports are available for each log source.
To access Flow Activity Reports
Choose home: Reports > Flow Activity Reports > report-name from the navigation menu, where report-name is one of:
Table 114 Flow Activity Reports
Report
Application Usage
Reports Provide
Use the Application Usage screen to generate a report for application usage seen across all traffic.
User Browsing
Statistics
Use the User Browsing Statistics screen to generate a report for site destination statistics by user.
Top Users Use the Top Users screen to generate a report for top traffic users.
Page
Preparing a Real-Time Report on page 116
includes the common options that you specify for all Real-Time Reports.
Optional filter operators are different for each Flow Activity report, and explained in their respective sections.
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Application Usage Reports
To search for and generate a report for application usage seen across all traffic use the Application Usage Real-Time Report.
Menu path: home: Reports > Flow Activity > Application Usage
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
User Guide
Flow Activity |
225
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Time, Category, Application Name, Bar Graph, Percentage, Total Traffic, and Count:
Table 115 Application Usage Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Time
Category
Application Name
Bar Graph
Percentage
Total Traffic
Count
Time of connection
The type of category
Name of the application
Percentage of total bytes represented as a bar graph
Number of bytes represented as a percentage
Total amount of traffic
Number of connections
For information on saving the generated report, see Saving a Generated Report on page 119
.
User Browsing Reports
To search for and generate a report for site destination statistics by user use the
User Browsing Statistics Real-Time Report.
Menu path: home: Reports > Flow Activity > User Browsing Statistics
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Time, User IP, Destination Name, and Number of times Accessed:
Table 116 User Browsing Statistics Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Time Time of connection
User Guide
226
| Chapter 6 Generating Real-Time Reports
Table 116 User Browsing Statistics Report Optional Filter Operators (Cont’d)
Option
User IP
Description
IP address of the user making the inquiry
Destination Address IP address that was targeted
Number of times
Accesses
The number of times accessed
For information on saving the generated report, see
Saving a Generated Report on page 119
.
Top Users Reports
To search for and generate a report for top traffic users use the Top Users
Real-Time Report.
Menu path: home: Reports > Flow Activity > Top Users
In addition to setting the common report options in
Preparing a Real-Time Report on page 116
, you can select optional filter operators in the generated report.
You can select to view various options in ascending or descending order. Choose the sort order by using the drop-down menu. The default is to display the Source
Device, Time, User IP, Bar Graph, Percentage, Total Traffic, and Count:
Table 117 Top Users Report Optional Filter Operators
Option
Source Device
Description
Device that sent these log messages
Time Time of connection
Category
User IP
Bar Graph
Percentage
Total Traffic
Count
The type of category
IP address of the user making the inquiry
Percentage of total bytes represented as a bar graph
Number of bytes represented as a percentage
Total amount of traffic
Number of connections
User Guide
Flow Activity |
227
For information on saving the generated report, see Saving a Generated Report on page 119
User Guide
228
| Chapter 6 Generating Real-Time Reports
All Saved Reports
The All Saved Reports screen displays a list of all saved reports for specific types of data based on search expressions and time intervals you have defined and saved in the past. All saved searches and types, such as Index Search, RegEx
Search, Index Report, etc., that are stored in the system are visible on this page as shown below.
You may click the Run icon and regenerate the report with a different time range, or click the Edit icon and change the saved report parameters before rerunning the report. All options are available, not just the ones originally selected. You may customize the new report using new filters and wildcards. You can also filter the list of saved reports displayed by title or by typing a key word from the report title in the Find field and pressing Enter. The key word or words will be highlighted in the resulting list. To restore the full list of saved reports, clear the
Find
field and press Enter again.
For more information on saving the generated report, see Saving a Generated
.
User Guide
Setting User Preferences |
229
Chapter 7
Setting User Preferences
The admin tab on the home page allows you to set values for your Account
Information, System Preferences
, and to Change Password.
Topics
•
Viewing Your LogApp Account on page 230
•
Changing Login Landing Page on page 231
•
Changing LogApp Account Password on page 232
User Guide
230
| Chapter 7 Setting User Preferences
Viewing Your LogApp Account
To view your LogApp Account
1. Choose admin from the home page.
2. Review and accept or change the default settings as explained in
.
Table 118 Account Options
Element
Account Information
Description
User Login
Email Address
The login name of the current user. This can be reset by the system administrator or user.
The email address of the current user. This can be reset by the system administrator or user.
System Preferences
Rows per Page
Page Refresh Rate
Emailed Chart Size
Session Timeout
The number of rows that display in each report page. Can be set from 10 to 1000 rows by user.
The page refresh rate in seconds. Can be set from 30 to 600 seconds by user.
The number of segments in display charts. Can be set from 3 to
30 segments by user.
Session Timeout can be set from 5 to 300 minutes by user. The default is 300 minutes (5 hours).
Enable Multiline
View
Checking this checkbox enables display of multiple lines in PDF and HTML reports.
Login Landing Page The page that appears immediately after logging into the LMI
Appliance. You can change this at any time. For instructions, see
Changing Login Landing Page on page 231 .
3. Click Save.
User Guide
Changing Login Landing Page |
231
Changing Login Landing Page
The Login Landing Page (Home) appears immediately upon logging in to the
LMI Appliance. By default the LogLogic Overview Welcome screen is displayed.
However, you can change your landing page at anytime.
To change your login landing page
1. Choose admin from the home page.
2. Click the down arrow next to Login landing page and select the page among these other landing page options: My Dashboard, System Status, Triggered
Alerts, Index Search, All Saved Reports, and All Saved Searches.
3. Click Save.
The next time you login to the Appliance, the alternate home page that you selected in this step will be displayed. You can change this destination at anytime.
User Guide
232
| Chapter 7 Setting User Preferences
Changing LogApp Account Password
You can change your password at any time.
To change your password
1. Choose admin from the home page.
2. Click the Change Password button.
3. The Change Password dialog box appears. It displays date of last password update.
4. In the Current Password field, enter your current password.
5. In the New Password field, enter your new password. Note the password requirements specified on the window.
6. In the Confirm New Password field, enter your new password again for verification.
User Guide
Appendix A
Syslog Host Field Character Sets |
233
Syslog Host Field Character Sets
This appendix describes the acceptable character sets in an ASCII syslog header.
Topics
•
Syslog Header Character Sets on page 234
•
User Guide
234
| Appendix A Syslog Host Field Character Sets
Syslog Header Character Sets
The following table lists and describes the acceptable characters in an ASCII syslog header.
Table 119 Acceptable Alpha/Numeric Character Sets
Character Descriptions
Alpha chars, upper or lower case
Examples
A-Z and a-z
Numbers
Punctuation
0-9 at @ underscore _ period .
backslash / colon : asterisk * brackets [ ] parenthesis ( ) plus + minus space tab
User Guide
Exceptions |
235
Exceptions
The following exceptions are noted for ASCII syslog headers:
• Some Unix/Linux syslog messages have a path in the process name. That is taken care of by looking for a leading backslash (/) and any number of the following characters:
— Alpha characters, upper or lower case
A-Z a-z
— The numbers 0-9
— Punctuation including: underscore _ period .
dash -
• Space and tab use depends on the log source. Some log sources have spaces at the point right before the log source target string is found. Others have only a tab. Specifically:
— Windows messages require a space before the target string.
— Cisco VPN3000 requires a tab.
User Guide
236
| Appendix A Syslog Host Field Character Sets
User Guide
Index
A
Accepted Connections
Access Control
Active FW Connections
Active VPN Connections
alert receivers
Alert Viewer
alerts
add new template format 102 adding 102, 106, 108
All Database Events
All Unparsed Events
appliances
Application Distribution
B
Boolean expression, entering 62
C
change LogApp account password 232
Check Point Policy
Real-Time report 199 tab description 199 using 199
clipboard
adding a new 75 index search 75
configuring result settings 67
Connectivity
CPU Usage
D
Database Access
Database Activity
Database Data Access report 137
Database Privilege Modifications
User Guide
|
237
238
|
Database System Modifications
Denied Connections
devices
E
Event Logs
examples index search 62 exceptions
Exchange 2000/03 SMTP Activity 164
Exchange 2000/03 SMTP Activity Report 165
expressions index search, entering 62
F
filters
Finished Search
FTP Connections
G
groups
I
IBM i5/OS Activity Reports
IDS
Real-Time report 154, 155, 156, 157, 159, 160, 161, 162
IDS Activity
Index Search
adding a new clipboard for 75 clipboard 75
examples 62
results, viewing in context 70
index search expression rules 62
L
log messages
Log Source Status
User Guide
M
Mail Activity
Real-Time report 164, 165, 167
Mail Delay
Mail Size
management station
message rate
N
Network Policies
Real-Time report 199, 201, 204, 205, 206, 209, 210,
211, 212, 213, 214, 216, 217, 218
P
Parameterized Pre-defined Regular Expression Search
Pending Search
Permission Modification
Policy reports
R
Real-Time reports
IBM i5/OS activity reports 140
Real-Time Viewer
Recent Messages
regular expression (RegEx) search 79
regular expression (regex) search
results index search, index search
rules, index search expression 62
Rules/Policies
Running Search
User Guide
|
239
240
|
S
search
Search Filters
overview 86 tab description 86
Search IP Address
Security Events
Syslog Header character sets 234
System Events
System Object Access
system status
viewing (management station) 27
T
templates
trends
User Guide
U
Unapproved Messages
User Access
User Access By Connection
User Actions
User Authentication
User Jobs
User Last Activity
users
Users Created/Denied
V
viewing
VPN Access
VPN Events
VPN Sessions
VPN/RADIUS Top Lists
W
Web Cache
Web Surfing
Real-Time report 185, 186, 187, 188, 189
Window Events
|
241
User Guide
advertisement
Key Features
- Real-time log data collection and analysis
- Analyze and archive network log data
- Decision support for network security remediation
- Increased network performance and improved availability
- Simplify, automate, and reduce the cost of log data aggregation and retention
- Eliminates the need for servers, tape libraries, and archival administrators
Frequently Answers and Questions
What are the primary user types on a LogLogic Appliance?
What are the four families of LogLogic products?
What are some of the benefits of using LogLogic Appliances?
Related manuals
advertisement
Table of contents
- 9 Preface
- 10 Related Documents
- 11 Typographical Conventions
- 13 Technical Support
- 13 How to Join TIBCOmmunity
- 13 How to Access TIBCO Documentation
- 13 How to Contact TIBCO Support
- 15 Chapter 1 Using LogLogic Appliances
- 16 LogLogic Appliance Overview
- 17 Appliance User Functions
- 18 LogLogic Product Families
- 18 LogLogic LX Product Family
- 19 LogLogic MX Product Family
- 19 LogLogic ST Product Family
- 20 Scalable Infrastructure
- 21 Chapter 2 Viewing Dashboards
- 22 Viewing System Status
- 27 Viewing Multiple Systems Status (Management Station)
- 29 Viewing Message Rate
- 30 Viewing CPU Usage
- 32 Viewing Log Source Status
- 35 Viewing Unapproved Messages
- 36 Viewing Recent Messages
- 38 Viewing Log Source Data Trend
- 39 Managing Your Dashboard
- 40 Managing Widgets
- 50 Defining your Dashboard Canvas Settings
- 51 Chapter 3 Viewing Real Time Log Messages
- 52 Accessing and Selecting Real Time Messages to View
- 56 Viewing Log Messages in Real Time
- 57 Java Security Settings
- 57 Modifying your Java settings
- 59 Chapter 4 Searching Collected Log Messages
- 60 Search Overview
- 62 Using Index Search
- 62 Search Expression Rules
- 63 Running an Index Search
- 65 Using the Search Results Tab
- 73 Using the Search History Tab
- 75 Using the Search Filters Tab
- 75 Using the Clipboard Tab
- 78 Tag-Based Searches Using the Tag Picker Interface
- 79 Using Regular Expression Search
- 81 Using Distributed Regular Expression Search
- 83 Viewing Pending and Running Searches
- 85 Viewing RegEx Search Results
- 86 Using Search Filters
- 86 Adding a Search Filter
- 87 Search Filter Options
- 90 Putting Your Logins Search Filter to Work
- 91 Adding Additional Parameters to a Pre-Defined Regular Expression Search Filter
- 94 Modifying a Search Filter
- 95 Viewing All Saved Index Searches
- 96 Using and Creating All Index Reports
- 99 Chapter 5 Creating and Managing Alerts
- 100 Viewing and Handling Alerts
- 102 Manage Alert Templates
- 102 Adding a New Alert Template Format
- 106 Viewing and Modifying an Alert Template
- 106 Removing an Alert Template
- 107 Managing Alert Rules
- 107 Preconfigured System Alerts
- 108 Adding a New Alert Rule
- 113 Parsed Data Alerts
- 114 Modifying or Removing An Alert
- 115 Chapter 6 Generating Real-Time Reports
- 116 Preparing a Real-Time Report
- 120 Generating a Report—An Example
- 122 Available Operators
- 125 Access Control Reports
- 126 Permission Modification Reports
- 127 User Access Reports
- 128 User Authentication Reports
- 129 User Created/Deleted Reports
- 130 User Last Activity Reports
- 132 Windows Events Reports
- 134 Database Activity Reports
- 135 All Database Events Reports
- 136 Database Access Report
- 137 Database Data Access Report
- 138 Database Privilege Modifications Report
- 139 Database System Modifications Report
- 140 IBM i5/OS Activity Reports
- 141 All Log Entry Types Reports
- 143 System Object Access Reports
- 146 User Access By Connection Reports
- 148 User Actions Reports
- 151 User Jobs Reports
- 154 Threat Management Reports
- 155 IDS/IPS Activity Reports
- 156 Threat Activity Reports
- 157 Configuration Activity Reports
- 159 Scan Activity Reports
- 160 Security Summary Reports
- 161 DB IPS Activity Reports
- 162 HIPS Activity Reports
- 164 Mail Activity Reports
- 165 Exchange 2000/03 SMTP Reports
- 166 Exchange 2000/03 Activity Reports
- 167 Exchange 2000/03 Delay Reports
- 168 Exchange 2000/03 Size Reports
- 169 Server Activity Reports
- 169 Exchange 2007/10 Activity Reports
- 170 Exchange 2007/10 Mail Size Reports
- 172 Network Activity Reports
- 174 Accepted Connections Reports
- 175 Active FW Connections Reports
- 176 Active VPN Connections Reports
- 177 Application Distribution Reports
- 178 Denied Connections Reports
- 180 FTP Connections Reports
- 181 VPN Access Reports
- 182 VPN Sessions Reports
- 183 VPN Top Lists Reports
- 184 Web Cache Activity Reports
- 185 Web Surfing Activity Report
- 186 DHCP Activity Report
- 187 DHCP Granted/Renewed Activity Report
- 188 DHCP Denied Activity Report
- 189 NAT64 Activity Report
- 191 Operational Reports
- 192 All Unparsed Events Reports
- 192 Firewall Statistics Reports
- 193 Total Message Count Reports
- 194 Security Events Reports
- 195 System Events Reports
- 196 VPN Events Reports
- 198 Policy Reports
- 199 Check Point Policies Reports
- 199 Network Policies Reports
- 200 Rules/Policies Reports
- 201 ECM Policy Reports
- 203 Enterprise Content Management
- 204 ECM Activity Reports
- 205 Content Management Reports
- 205 Security Settings Reports
- 206 Expiration and Disposition Reports
- 208 HP NonStop Audit
- 209 Configuration Changes Reports
- 210 Failed and Successful Logins Reports
- 211 Object Changes Reports
- 212 HP NonStop Audit Activity Reports
- 213 User Actions Reports
- 214 Object Access Reports
- 215 IBM z/OS Activity
- 216 Resource Access Reports
- 217 Security Modifications Reports
- 218 System Access/Configuration Reports
- 218 Unix System Services Reports
- 219 Login/Logout Reports
- 220 Violation Reports
- 222 Storage Systems Activity
- 222 Filer Access Reports
- 224 Flow Activity
- 224 Application Usage Reports
- 225 User Browsing Reports
- 226 Top Users Reports
- 228 All Saved Reports
- 229 Chapter 7 Setting User Preferences
- 230 Viewing Your LogApp Account
- 231 Changing Login Landing Page
- 232 Changing LogApp Account Password
- 233 Appendix A Syslog Host Field Character Sets
- 234 Syslog Header Character Sets
- 235 Exceptions